Add cookie protection about cookies HOT 8 CLOSED

Would you accept PR for PSR-15 cookie encryption middleware? I have a baked solution for our project already on yii3.

from cookies.

Encryption isn't the same as MAC-signing. What's the use case for encrypting a cookie?

from cookies.

Yep, it's true. But they are two things that are sometimes used exclusively for the same purpose, or even as a best practice used both together. Encryption is used when you have somewhat sensitive data you need to store in cookies (by saying somewhat I mean the data that is still ok to store in cookies as really sensitive data must not be stored in cookies). Also encryption of cookies can be sometimes be used as an alternative of signing, as the data will be malformed if somebody tampers it on client side. But ideally they are used together first the data is encrypted and then the data is signed. Cookie encryption middleware can also have a key exclusion map, to define the keys to be excluded during encryption, so that they are available unencrypted on client side while still having other more sensitive values encrypted.

As they are very similar in purpose and functionally, I will be happy to implement both cookie signing and encryption PSR-15 middlewares and try to document their usage (right order).

from cookies.

OK.

from cookies.

Discussed internally. Decided not to have both HMAC signing (usually it's fine just to set HttpOnly) and encryption (usually it results in storing too much in the cookies and transferring too much each request of each image, CSS or JS). At least initially.

from cookies.

Reopened because of yiisoft/user#30

from cookies.

Need to consider having a middleware for signing/verifying and encrypting/decrypting cookies.

from cookies.

Implemented.

from cookies.