Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Encrypt/Decrypt cookies #13

Open
oscarotero opened this issue Feb 7, 2017 · 5 comments
Open

Encrypt/Decrypt cookies #13

oscarotero opened this issue Feb 7, 2017 · 5 comments

Comments

@oscarotero
Copy link
Member

A middleware to decrypt incoming and encrypt outgoing cookies.
It could use a JWT implementation or php-encription.

Maybe it could provide some security features:

  • Filter allowed cookies (and remove the others)
  • Ensure all cookies have directives like secure, httponly, etc...
@sa-tasche
Copy link

Why encrypting cookies? HTTPS should be used for that case.
Why filtering? They can be ignored.

@oscarotero
Copy link
Member Author

Sometimes you don't want the client be able to read a cookie value, or you cannot use https, etc.
And on remove cookies, they are not included in the next http request, so it's good for performance.
Anyway, these are only random ideas. I'm agree that, in most cases, the need for encrypted cookies is surely because there're other bad things in the app security architecture.

@ncou ncou mentioned this issue Jul 12, 2018
@ncou
Copy link

ncou commented Jul 12, 2018

Hi,

I made a middleware like this, using a custom crypt engine (https://github.com/ncou/CryptEngine) i could share the code if you want, but i need to tidy it a bit (by the way the credits goes to another person because i was inspired by some piece of code i found on internet).

@oscarotero
Copy link
Member Author

Thanks, @ncou
I was thinking in using a dependency like php-encryption that uses best practices and is actively maintaned, instead implement directly the crypt engine, to do not reinvent the wheel an avoid possible future security issues.

@ncou
Copy link

ncou commented Jul 12, 2018

yes you are absolutly right this lib should be more stronger and more actively maintained than mine.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants