A good method is to just send an identifier to the client end. So you don't need to send kilobytes of data but an id and then use the id to relate it to a database entry. Pretty much how the session cookie operates but you can use another one for long term info.

Eg: db table logged_user
CREATE TABLE logged_user (
cookie_id int(11) NOT NULL,
logged_user_data VARCHAR(255) NOT NULL,
PRIMARY KEY (cookie_id)
);

then when you get a new user logging in you create a database entry and send a cookie with the id alone.

setcookie('the_cookie_name', $cookie_id, $expire, etc....

When the user comes back you check the cookie_id if exists in the database and if so you retrieve the associated data from the database. You need to setup some algorithm to generate a unique key as the cookie id. Of course if the client end is hijacked an attacker will be able to do anything and none of this works.

Thanks for the suggestions. I am a little concerned with the provided solution due to the client side vunerabilities. My guess is, that it is not 100% secure. I was trying at one point to develop a solution similar to the crypt() method, with a BLOWFISH type server side password included which would be great, but you can't decrypt that to my knowledge as it is one way.

If anyone knows a method like that, or knows how to use server side password encryption or decrypt the one way crypt method I would love to know.

Thanks.

@enigma1: Of course if the client end is hijacked an attacker will be able to do anything and none of this works.

Can you expand on this? In what way hijacked? ... if the cookie_id is guessed by a potential hacker? Thanks.

For session hijacking there are lots of topics about it. The session cookie id is not really guessed but can be propagated on purpose. Here is an example:

1. Attacker visits commercial server obtains session cookie or session id via the url. Servers with shared SSL for instance do need the session to be passed via the url during transition from non-ssl to ssl and vice versa, to maintain integrity of the visitors info.
2. Deploys a jscript or link (depending how the session is exposed with a link is simpler but jscripts can cover all cases) to the client, via other sites or email, so once the target site is visited, the id that was obtained by the attacker is used. In other words visitor now uses an id known by the attacker.
3. Attacker can refresh the id for 2 main reasons a) so the session does not expire by accessing the targeted server, b) to monitor session access by others.

Another example is with the use of a common system where cookies aren't cleared for whatever reason or they are preset on purpose where the browser keeps sessions or other private data.

So now if the visitor say creates an account or logs in and the server doesn't regenerate a new session or if the visitor's browser is hijacked, the information becomes available to the attacker. That includes names, addresses etc.

So the attacker doesn't need to know how the session is encoded in this case, while he can employ such methods for popular commercial sites.

Thanks, but what I really want is a method to encrypt a variable value, so I can store in cookie, then using an algorythm, decrypt that cookie value and use it.

Any ideas?

mcrypt [php.net] functions will allow you to encrypt and decrypt a value using many different block algorithms and cipher modes. Use a predefined shared secret key that is stored on your server when you initialize the buffer [php.net] and make sure the value of the key is less than or equal to the maximum supported keysize of the opened mode [php.net]. And don't forget to call srand [php.net] before you create the initialization vector (IV) [php.net].

You will need the same key when you decrypt the data [php.net].

Note: you will still have to base64_encode and decode the encrypted COOKIE data value.