How safe is mcrypt encoding

Question

I have two functions and a random generated key:

function encode ($a) {
    $key = "7HLgdzXyaTaZuTss6xayLk3qLTJ2jsRLgPnMzpNwhwnEZsnHUfHxfYW5r3sQcZsC";
    $aEncoded = base64_encode(mcrypt_encrypt(MCRYPT_RIJNDAEL_256,md5($key),$a,MCRYPT_MODE_CBC,md5(md5($key))));
    return $aEncoded;
}

function decode ($a) {
    $key = "7HLgdzXyaTaZuTss6xayLk3qLTJ2jsRLgPnMzpNwhwnEZsnHUfHxfYW5r3sQcZsC";
    $aDecoded = rtrim(mcrypt_decrypt(MCRYPT_RIJNDAEL_256,md5($key),base64_decode($a),MCRYPT_MODE_CBC,md5(md5($key))),"\0");
    return $aDecoded;
}

As a user logs in, some private data and the current timestamp will get encoded and saved as a session cookie. Also the same timestamp is getting saved in a mysql database. Now i want to authenticate the user as he sends a packet to a ws server. Is it secure to send the key to the server, decode it there and check if the timestamp of the key matches the last login saved in the mysql database? (I will also check if a key is old, so if someone doesn't login anymore the key won't work anymore after 6 hours.

EDIT: The user won't be able to see those functions, the key will be generated in the login php file!

Answer 1

Encoding a string using base64 for login information is not increasing security.

To implement a secure method, I suggest to use a key binding encryption just like OpenSSL.

PHP also support it, you may define a key in your php program and encrypt your cookie with that, I also suggest to use a dynamic key(i.e 6 digit date 170417), in case you need the cookie to be completely undiscoverable!

Take a look at openssl_encrypt and openssl_get_cipher_method()