A SecureTicket, or Ticket, consists of salt, hash, valid_until, public_flags, flags, data and "invisible" hashed entropy.
Tickets are symmetrically signed using SHA256-HMAC. Fields 'valid_until', 'flags' and 'data' may be optionally encrypted using AES128-CBC or TripleAES128-CBC. Values 'data' and 'entropy' may consist of arbitrary objects which are transparently pickled(serialized), optionally gzipped and of course securely signed.
Specific implementations are included:
FormTicket: provides core implementation of state-less Cross Site Request Forgery protection.
Other use cases include ticketing object param values pointing at URL:s or services in HTML-objects such as Flash or Java Applets. This adds server-side choises to be made while preventing users from using arbitrary values.
Severe testing is done and will be mandatory for core and every specific implementation. Every single bit is flipped and various ticket contents and flag combinations are permutated.
Be the first to post a review of tickets!