[TYPO3-mvc] encrypd cookies in TYPO3

Chris Wolff - AERTiCKET AG cwolff at aer.de
Mon Dec 22 10:33:52 CET 2014 

Hallo
If cookie encryption makes sense depends on your session Handling Strategie. 

a) If you store the session values on the server side (as typo3 does) and only hand out a "identifier" (session id)
To the user. It makes no sense to encrypt the session-id as you replace one random string with another.

b) If on the other hand store session values in the users browser (as many ruby on rails apps do) it makes perfect sense
To encrypt the values. As you don't want the users to tamper with your session data.

c) A third option to use the cookies is to store some "settings", like sorting of a list view, if you sort that list via javascript, and similar.
Here encryption makes no sense to encrypt as the user has access to all your javascripts and therefore the encryption methods and could encrypt every value he wants.

Cookie encryption makes only sense to "protect" you against manipulation of cookie data. It does NOT protect you from cookie stealing an cookie Reuse.
Against cookie Stealing use HTTPS.
Against cookie Reuse try IP and/or Client Lock.

Regards Chris


-----Ursprüngliche Nachricht-----
Von: typo3-project-typo3v4mvc-bounces at lists.typo3.org [mailto:typo3-project-typo3v4mvc-bounces at lists.typo3.org] Im Auftrag von Helmut Hummel
Gesendet: Freitag, 19. Dezember 2014 21:27
An: typo3-project-typo3v4mvc at lists.typo3.org
Betreff: Re: [TYPO3-mvc] encrypd cookies in TYPO3

Hey Muriel,


On 19.12.14 16:08, Muriel le Pair wrote:

> Philipp Gampe schreef op 19-12-14 15:30:
>> There are no such functions, because they do not make sense.

I disagree, that it does not make sense to encrypt cookie values.

But indeed there is nothing related to that in TYPO3 core.

> Maybe I'm over paranoid, it's not that I want to store sensitive 
> information it's just that I don't want to store any information that 
> makes any sense.

It is a good practice to encrypt cookie values. Since there are no methods for that in TYPO3, just use e.g. mcrypt with a good secret when storing and retrieving cookie values. I would suggest that you write a small wrapper class for that yourself.

Kind regards,
Helmut

--
Helmut Hummel
Release Manager TYPO3 6.0
TYPO3 CMS Active Contributor, TYPO3 Security Team Member

TYPO3 .... inspiring people to share!
Get involved: typo3.org
_______________________________________________
TYPO3-project-typo3v4mvc mailing list
TYPO3-project-typo3v4mvc at lists.typo3.org
http://lists.typo3.org/cgi-bin/mailman/listinfo/typo3-project-typo3v4mvc

More information about the TYPO3-project-typo3v4mvc mailing list