How can I encrypt, and later decrypt, a cookie value in PHP? How secure will the encryption be?
Asked
Active
Viewed 1.8k times
5 Answers
10
There a variety of different ways to encrypt information in cookies and elsewhere. The strength of the encryption will vary by the method you choose to do the actual encryption. mycrypt is a good place to start. See this answer for an example of using mcrypt.
I don't recommend putting anything sensitive in a cookie, even if it is going to be encrypted. Way too tempting for someone to crack. Try sticking to sessions if you can.
Community
- 1
- 1
John Conde
- 217,595
- 99
- 455
- 496
0
I am in full agreement with the other answers: If the data is truly sensitive it should be stored server side in a session, not in a cookie.
As far as ways to encrypt cookie contents, the Suhosin PHP extension provides the ability to transparently encrypt all cookies. If you have the ability to install PHp extensions this may or may not be easier for you than writing your own encryption scheme.
Josh
- 10,961
- 11
- 65
- 108
0
If the cookie is encrypted securely (for example, with a server-stored secret that changes on a regular basis) I see no problem with storing useful data in the cookie. Why store it on the server? Make the client do some work for a change -- especially if it is preferences. Why should the server have to constantly store and retrieve data from a session file? What if you have hundreds of thousands of users pounding your site? Now you have to maintain hundreds of thousands of session files.
Derek
- 17
- 1
0
I can think of a reasonable use for this. Suppose you have a large server farm, you're going to have a bottleneck at the database and/or memcached server for handling session requests.. "is this user logged in?"
If you were to store the users session data as an encrypted value in the cookie, then you can prevent having to do quite a few read/writes and allow for an unlimited sized cookie store since there is 0 impact on your side other than being CPU bound for encryption/decryption of the cookie data.
Ruby on Rails by default does this - although it only signs the data and does not encrypt it. There is an alternative implementation which encrypts the data with its own key and signature so you the user is not able to see what data you store in their session.
Stephen
- 3,341
- 1
- 22
- 21
-6
I can not simply think of a situation where encrypting data in the cookie is useful. If you want to retain secret data about the user or his preferences, information, whatever, then store it on the server in files, in the session or in the database, but not in the client's computer.
On the other hand, if you creating an authentication, then you should use sessions instead of creating secret encrypted cookie values. Sessions weren't implemented for nothing, they are the way to go.
Tower
- 98,741
- 129
- 357
- 507
-
5Isn't a huge part of a RESTful API statelessness? In which case storing sensitive data via encrypted cookies w/ secret key is pretty fundamental. Or am I missing something? – PandemoniumSyndicate Dec 19 '12 at 18:08
-
If your api is realy stateless, no session exists. Should be the client responsable of store information beetwen request. – TlmaK0 Apr 11 '13 at 14:54
-
7"I can not simply think of a situation where encrypting data in the cookie is useful" The OP didn't ask whether you could or not; presumably, the OP knows "why", he asked "how". You did not answer that question. – Parthian Shot Feb 09 '15 at 00:15
-
1
-
Here's one. lets say you want your visitors to be able to use a feature on your page, custom tailored to them, without having to jump through the hoops of "logging in". For anything to do with money I'd agree with you. But there are other situations not requiring that level of security, but where the obfuscation of encryption would be valuable. – Randy Jun 29 '19 at 15:01
-
@ParthianShot precisely my thinking when looking for an actual solution to my problem. The attitude expressed in this answer is the main obstacle of this platform. – Muckee Sep 20 '19 at 18:03