Encrypt/Decrypt cookies

[oscarotero]

A middleware to decrypt incoming and encrypt outgoing cookies.
It could use a JWT implementation or php-encription.

Maybe it could provide some security features:

• Filter allowed cookies (and remove the others)
• Ensure all cookies have directives like secure, httponly, etc...

[sa-tasche]

Why encrypting cookies? HTTPS should be used for that case.
Why filtering? They can be ignored.

[oscarotero]

Sometimes you don't want the client be able to read a cookie value, or you cannot use https, etc.
And on remove cookies, they are not included in the next http request, so it's good for performance.
Anyway, these are only random ideas. I'm agree that, in most cases, the need for encrypted cookies is surely because there're other bad things in the app security architecture.

[ncou]

Hi,

I made a middleware like this, using a custom crypt engine (https://github.com/ncou/CryptEngine) i could share the code if you want, but i need to tidy it a bit (by the way the credits goes to another person because i was inspired by some piece of code i found on internet).

[oscarotero]

Thanks, @ncou
I was thinking in using a dependency like php-encryption that uses best practices and is actively maintaned, instead implement directly the crypt engine, to do not reinvent the wheel an avoid possible future security issues.

[ncou]

yes you are absolutly right this lib should be more stronger and more actively maintained than mine.