Menu
I need to securely crypt and decrypt information about users (user_id and password) in cookies.
What is the best way to do this ? What encryption and decryption functions do I need ?
I'm using PHP and MySQL and example will be participated ?
467
A secure cookie can only be transmitted over an encrypted connection (i.e. HTTPS). They cannot be transmitted over unencrypted connections (i.e. HTTP). This makes the cookie less likely to be exposed to cookie theft via eavesdropping. A cookie is made secure by adding the Secure flag to the cookie.
When cookie encryption is enabled, the BIG-IP LTM system extracts the unencrypted cookie from the server response, encrypts it using a 192-bit AES cipher, and then encodes it using the Base64 encoding scheme. The BIG-IP LTM system then embeds the encrypted cookie into the HTTP response to the client.
The science of encrypting and decrypting information is called cryptography. In computing, unencrypted data is also known as plaintext, and encrypted data is called ciphertext. The formulas used to encode and decode messages are called encryption algorithms, or ciphers.
Decrypt the cookie and check the digest: Decrypt de key of the cookie: do Base64 decoding, then decrypt it using your institution's private RSA key. Decrypt the data using the decrypted AES key. Check the digest using secutix public certificate. The following example in java will show you how to proceed.
for example
Set encrypted cookie:
<?php
$time = time()+60*60*24*30*12; //store cookie for one year
setcookie('cookie_name', encryptCookie('cookie_value'),$time,'/');
?>
Get encrypted cookie value:
<?php
$cookie_value = decryptCookie($_COOKIE['cookie_name']);
?>
here is the function to encrypt decrypt cookie:
<?php
function encryptCookie($value){
if(!$value){return false;}
$key = 'The Line Secret Key';
$text = $value;
$iv_size = mcrypt_get_iv_size(MCRYPT_RIJNDAEL_256, MCRYPT_MODE_ECB);
$iv = mcrypt_create_iv($iv_size, MCRYPT_RAND);
$crypttext = mcrypt_encrypt(MCRYPT_RIJNDAEL_256, $key, $text, MCRYPT_MODE_ECB, $iv);
return trim(base64_encode($crypttext)); //encode for cookie
}
function decryptCookie($value){
if(!$value){return false;}
$key = 'The Line Secret Key';
$crypttext = base64_decode($value); //decode cookie
$iv_size = mcrypt_get_iv_size(MCRYPT_RIJNDAEL_256, MCRYPT_MODE_ECB);
$iv = mcrypt_create_iv($iv_size, MCRYPT_RAND);
$decrypttext = mcrypt_decrypt(MCRYPT_RIJNDAEL_256, $key, $crypttext, MCRYPT_MODE_ECB, $iv);
return trim($decrypttext);
}
?>
You can read more about the mcrypt function here: php mcrypt function
135
Don't store passwords in a cookie. Never do this kind of things.
If you want some way for you user to not have to enter its login and password to login, you can genrate some random token when he logs in (sha1(mt_rand()) for example) and store this value in the cookie and database.
Then when trying to identify a user, you just have to check if the value found in his cookie can be found in your database. Generate a new value everytime he logs in (using name + password or with this cookie).
37
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
