All parameters encrypted/decrypted with the same secret

Description

Hi,
I have been looking at the stripes framework and specifically on CryptoUtil class usage. It looks to me that all the parameters as encrypted/decrypted with the same secret, such as "sassword" repopulation, "_fp", "_sourcePage" internal parameters. Depending on implementation details on different sites, this makes the sites vulnerable to replay attack, such as copying encrypted password to "_fp", copying a known redirect resolution page to "_sourcePage" and etc.
It would be great if the framework can use different secrets derived from the configured one and use with different parameters, fields and other different intentions

-Xiaoyong

Environment

None

Status

Assignee

Unassigned

Reporter

Xiaoyong Wu

Labels

None

Tester

None

Priority

Major
Configure