Encrypted Cookies...or not

Hi All,

I am setting up my cookies to be encrypted in the config file according to the documentation. However, when I check my ‘UserID’ cookie in Firefox or Chrome, I can see it plain as day. Am I missing something?

Thanks,
Jonathan

Sana, any thoughs on this.

Can you post your code.

Luis

Hi Jonathan,

Could you please verify that you have these settings in coldbox.xml.cfm
and also make sure you reload the App after these changes

whether to encrypt the values or not

The encryption seed to use. Else, use a default one (Not Recommened)

The encryption algorithm to use (According to CFML Engine)

Thanks
Sana

Sorry for the delay in response to this. It turned out that the cookie encryption was working exactly how it was designed, but I’d like to lay out what the issue was and see about an additional setting in the coldbox config…

I am working on the security framework for my site. I give a user the option to ‘Remember Me’ if they would like to stay logged in for 7 days. I am simply setting a cookie with the user’s id if they want to be remembered. Not using GUID’s, my admin user’s id is ‘2’. Well, I wasn’t really thinking of this when I opened the cookie and saw a value of ‘22’. I was expecting some cryptic string of characters, so when I saw a plain old integer I assumed the encryption wasn’t working. It turns out the default encoding for the cookie storage plugin is Hex, so encrypting the value ‘2’ using the CFMX_COMPAT algorithm with my seed rendered an encoded value of ‘22’. This doesn’t work for obvious reasons.

Changing the encoding in the cookiestorage.init() to Base64 gave me the results I wanted and expected. I had to change this in the cookiestorage.cfc because there is no setting for cookiestorage_encryption_encoding. Can we add a cookiestorage_encryption_encoding in the coldbox.config?

Hi Johnathan,

Good point I will see if encoding can be added to cookies. ( Other CF engines compatibility could be a show stopper )

For the time you may use encryption algorithm AES, DESEDE

Thanks
Sana

Hi Sana,

Thanks for the reply.

When I try to use AES or DESEDE I get this error…

An error occurred while trying to encrypt or decrypt your input string: ‘’ Can not decode string “SeedValue”

I isolated the encrypt() function outside the framework like this…

#Encrypt(‘2’,‘SeedValue’,‘DESEDE’,‘Hex’)#

…and I get the same error. Any ideas?

Ah…to answer to my own question…

You can’t use another algorithm besides CFMX_COMPAT because you would need to use generateSecretKey() to produce your cookiestorage_encryption_seed. Is there a fancy way to do that in the config file, or would it need to be written into the plugin?

So, I’ve decided that I need to put the cookiestorage plugin into the OCM, and use the setEncryption function in order to set up AES encryption using generateSecreteKey().

The problem I am having now is that my model object is being autowired before the onAppInit function puts the cookiestorage plugin into the OCM. So, when my model object tried to access instance.cookies I am getting the “Element COOKIES is undefined in a Java object of type class [Ljava.lang.String;” error.

Is the best practice solution to create an afterConfigurationLoad interceptor to set this up before the model is autowired? (like the transfer loader?)

Hi Johnathan,

Copy cookiestorage plugin, rename to CookiePlugin. Then use Base64 in init() method.

This will be your custom plugins for your App.
easy and quick solution for you now :slight_smile:

yourApp/plugins/CookiePlugin.cfc

Thanks
Sana

Brilliant! That works great. I only had to update the init() return type to jive with the new filename.

Thanks Sana!