Hello and welcome to our community! Is this your first visit?
Register
Enjoy an ad free experience by logging in. Not a member yet? Register.
Results 1 to 7 of 7
  1. #1
    New Coder
    Join Date
    Nov 2010
    Posts
    30
    Thanks
    2
    Thanked 2 Times in 2 Posts

    Unhappy Secure cookie encryption

    How to create some kind of very very fast (short script) new encryption using php to encrypt cookies?
    Any idea?

  • #2
    New Coder
    Join Date
    Nov 2010
    Posts
    30
    Thanks
    2
    Thanked 2 Times in 2 Posts
    For example, first, cookie is being md5()
    And i need to encrypt this md5 using my own little encryption.

  • #3
    Senior Coder
    Join Date
    Sep 2010
    Posts
    1,974
    Thanks
    15
    Thanked 229 Times in 229 Posts
    You can just add a 'key' at the beginning of what you want encrypted. Let's say your key is 'mystery_mile'.

    $new_cookie_value = md5( 'mystery_mile'.$cookie_value);

    Of course, it's not practical to decrypt an md5, you can only check against it. But your key will be unknown to the user so he can't check against it.

  • Users who have thanked DrDOS for this post:

    StrangeCoder (11-27-2010)

  • #4
    New Coder
    Join Date
    Nov 2010
    Posts
    30
    Thanks
    2
    Thanked 2 Times in 2 Posts
    Very nice idea.
    Thanks you a lot. Strange, I didn't guess it myself, I was gonna to create my own encryption lol Stupid me.

    I am gonna check em using substr_replace(). It will remove added secret keys at the beginning or at the end and will check if md5 in the cookie is the same like SQL entry.

    Well, not md5, actually, because it sucks At least, sha1. ;-)
    Last edited by StrangeCoder; 11-27-2010 at 07:36 PM.

  • #5
    Senior Coder
    Join Date
    Jul 2009
    Location
    South Yorkshire, England
    Posts
    2,318
    Thanks
    6
    Thanked 304 Times in 303 Posts
    There's no need to strip or replace anything. The whole point of having is a secret key is to use that as part of the hashing string.

    Code:
            function generate_hash($content, $algo = false)
            {
                    $hash_algos = hash_algos();
                    $salt = 'your_private_key';
    
                    if ($algo && in_array($algo, $hash_algos))
                    {
                            return hash($algo, $salt.hash($algo, $content));
                    }
                    else if (in_array('sha256', $hash_algos))
                    {
                            return hash('sha256', $salt.hash('sha256', $content));
                    }
                    else
                    {
                            return sha1($salt.sha1($content));
                    }
            }

  • #6
    New Coder
    Join Date
    Nov 2010
    Posts
    30
    Thanks
    2
    Thanked 2 Times in 2 Posts
    Sorry, hadn't enough time recently,
    today I've coded cookies following DrDOS tip and here is an example:

    http://goo.gl/vt2ul

    Note: this is temporal apache server on my machine, site is not ready yet and is not registered anywhere yet.

    Is it secure enough?
    Last edited by StrangeCoder; 12-29-2010 at 09:07 PM.

  • #7
    New Coder
    Join Date
    Nov 2010
    Posts
    30
    Thanks
    2
    Thanked 2 Times in 2 Posts
    EG
    Code:
    Session=MGYxNWFhMDFiNTdjMGI0NWJiNDU5ZWEwYWI2Yzc2MzkyNzFkOGEwOQ%3D%3D; Login=RHVkZTMyMQ%3D%3D


  •  

    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    •