View Full Version : Secure cookie encryption

11-27-2010, 06:43 PM
How to create some kind of very very fast (short script) new encryption using php to encrypt cookies?
Any idea?

11-27-2010, 06:50 PM
For example, first, cookie is being md5()
And i need to encrypt this md5 using my own little encryption.

11-27-2010, 07:02 PM
You can just add a 'key' at the beginning of what you want encrypted. Let's say your key is 'mystery_mile'.

$new_cookie_value = md5( 'mystery_mile'.$cookie_value);

Of course, it's not practical to decrypt an md5, you can only check against it. But your key will be unknown to the user so he can't check against it.

11-27-2010, 07:33 PM
Very nice idea.
Thanks you a lot. Strange, I didn't guess it myself, I was gonna to create my own encryption lol :D Stupid me.

I am gonna check em using substr_replace(). It will remove added secret keys at the beginning or at the end and will check if md5 in the cookie is the same like SQL entry.

Well, not md5, actually, because it sucks :D At least, sha1. ;-)

11-28-2010, 08:52 AM
There's no need to strip or replace anything. The whole point of having is a secret key is to use that as part of the hashing string.

function generate_hash($content, $algo = false)
$hash_algos = hash_algos();
$salt = 'your_private_key';

if ($algo && in_array($algo, $hash_algos))
return hash($algo, $salt.hash($algo, $content));
else if (in_array('sha256', $hash_algos))
return hash('sha256', $salt.hash('sha256', $content));
return sha1($salt.sha1($content));

12-29-2010, 08:40 PM
Sorry, hadn't enough time recently,
today I've coded cookies following DrDOS tip and here is an example:


Note: this is temporal apache server on my machine, site is not ready yet and is not registered anywhere yet.

Is it secure enough?

12-29-2010, 08:50 PM