wait, so how hard is it actually to brute force sha224? Like, could I theoretically do it on my home computer? and then use the secret to "sign" my own cookie? (is the secret something lewd? I feel like it's something lewd)
• from 4eeb07b498ac4fa8
SHA2 is still secure enough that it can't reasonably be bruteforced. But if you did get the secret, yeah, you could just use it to validate any abitrary cookie.