Yes, cookies come from the server. But the point of encrypting and all this rigmarole, is if you put user data, other than a number, inside a cookie. Assume that not a password, but if someone's age, maybe their login and some other info is in there for SOME reason. Either for performance reasons, not having to deal with clustering.. there is always a reason someone may want to do it. Heck, even a timestamp.

Yes, compress before encryption. Not after. I thought I said that, but if I was confusing, yes, we agree on that. Compression for size doesn't help all that much, 'cause you are right. Small data won't compress that much smaller percentage wise, but you still get the obfuscation, which is a bigger selling point.

But, the point of the exercise is, giving people some data and at the same time, keeping it private for some "good" duration. Not forever. given infinite time, any encryption scheme would be breakable, except for one way hashes. After all, a hash doesn't guarantee against collision... usually.

And yes, allowing modification of the data in the cookie is bad. More reason to compress, md5 the compressed part, take the two and encrypt that together. Thus, if you change one block, either the md5 gets mucked, or the data gets mucked. But the md5 of the data block will no longer be valid. Mathematically, you'd be more likely able to brute force and may even cryptoanalize (horrid spelling there :) the data before you can generate one that respects an md5, compression and encryption all in one.

The comperssion and what not does make things harder. I think we agree on that. But if you have to put some data out there because of some requirement, it's best to do it the best way you can do it.

Bart: God, Schmod. I want my monkey-man.

In reply to Re^9: Is this a secure way to prevent cookie tampering by exussum0
in thread Is this a secure way to prevent cookie tampering by EvdB

Title:
Use:  <p> text here (a paragraph) </p>
and:  <code> code here </code>
to format your post, it's "PerlMonks-approved HTML":


  • Posts are HTML formatted. Put <p> </p> tags around your paragraphs. Put <code> </code> tags around your code and data!
  • Titles consisting of a single word are discouraged, and in most cases are disallowed outright.
  • Read Where should I post X? if you're not absolutely sure you're posting in the right place.
  • Please read these before you post! —
  • Posts may use any of the Perl Monks Approved HTML tags:
    a, abbr, b, big, blockquote, br, caption, center, col, colgroup, dd, del, details, div, dl, dt, em, font, h1, h2, h3, h4, h5, h6, hr, i, ins, li, ol, p, pre, readmore, small, span, spoiler, strike, strong, sub, summary, sup, table, tbody, td, tfoot, th, thead, tr, tt, u, ul, wbr
  • You may need to use entities for some characters, as follows. (Exception: Within code tags, you can put the characters literally.)
            For:     Use:
    & &amp;
    < &lt;
    > &gt;
    [ &#91;
    ] &#93;
  • Link using PerlMonks shortcuts! What shortcuts can I use for linking?
  • See Writeup Formatting Tips and other pages linked from there for more info.