Menu

Michael Gracie

I like my cookies with encryption on top

Quick and dirty mcrypt usage

I don’t know where I discovered the original idea, but in messing around with a PHP app I found the need to encrypt session cookies. Here’s how it was done, with the mcrypt library:

//encrypt session cookie
function encryptUserCookie($value)
{
if(!$value) {
return false;
}
$key = SESSION_SALT;
$text = $value;
$iv_size = mcrypt_get_iv_size(MCRYPT_RIJNDAEL_256, MCRYPT_MODE_ECB);
$iv = mcrypt_create_iv($iv_size, MCRYPT_RAND);
$crypttext = mcrypt_encrypt(MCRYPT_RIJNDAEL_256, $key, $text, MCRYPT_MODE_ECB, $iv);
return trim(base64_encode($crypttext)); //encode for cookie
}

Decoding the cookie was much the same…

//decrypt session cookie
function decryptUserCookie($value)
{
if(!$value) {
return false;
}
$key = SESSION_SALT;
$crypttext = base64_decode($value); //decode cookie
$iv_size = mcrypt_get_iv_size(MCRYPT_RIJNDAEL_256, MCRYPT_MODE_ECB);
$iv = mcrypt_create_iv($iv_size, MCRYPT_RAND);
$decrypttext = mcrypt_decrypt(MCRYPT_RIJNDAEL_256, $key, $crypttext, MCRYPT_MODE_ECB, $iv);
return trim($decrypttext);
}

SESSION_SALT was of course something I called from a variables file.

These snippets were used in an online directory system, where I didn’t want attendees inspecting the cookies for the purpose of setting up multiple listings under the same login.

Simple stuff, but hope it is useful to someone.

Cookies from the neighbors

My neighbors’ four year old daughter made cookies today. The family knows I fish.

good-cookies
Rainbow trout and Bluefish

A couple of Stegasauruses too, although I don’t think anyone makes tippet for those.

I’ll note I’ve never see fish disappear so fast – they must have known I was coming.

Holiday treat tip for tech geeks

Some are already putting their New Year’s resolutions together, and based on the amount of food we all eat, one of those personal promises will probably be joining a gym. For me, it is all the cookies I eat. I love ’em, particularly the fresh chocolate chip/peanut buttery types and the pecan sandies.

Cookie consumption is enjoyable, no doubt. Unfortunately, if you are a website administrator, you might want to focus more concern on cookie use than how many of the sugary kind you stuff in your gob.

Cookies are not necessarily your friends

Cookies are everywhere, and the web can’t run without them (particularly with so much content supported by advertising). Nowadays, you almost have to accept them in some form in your browser, or site functionality is hampered.

But what really are they? Where do they come from? Do you have to watch out for them?

The Week answers those questions and a few more. And in my favorite style. Plain english, sticking to the facts, etc. etc. So I’ll just say thanks.

Computer Privacy In Five Easy Steps

comppriv.jpgWith all the concern about web privacy nowadays, particular with the Google vs. Feds battle going on, TechWeb put together a nice piece on preserving that privacy, which is worth a read.

Most of the explanations and pointers relate to Windows, but that doesn’t mean Linux or OS X users are immune to this issue. For cleaning up your OS X machine, I will go ahead and suggest using Cache Out X from NoName Scriptware, which serves duty on the internet side, as well as machine user and system logs. And I’d love to hear what Linux users are doing on this front (outside of the terminal window, of course).

NSA’s Hands Deep in the Cookie Jar

The NSA has been snagged serving cookies to it’s website visitors’ computers, despite federal rules against the practice. The cookies expire when? 2035. Hmm. Who else does such things?

They had an excuse – an overlooked software upgrade. I wouldn’t be surprised if the Bush Administration now pins the whole spying fiasco on the NSA, citing a rogue macro in Word that screws up court orders.

Marketers piss and moan about cookies

I say tough shit. Most people don’t want to be tracked, and lobbying anti-spyware firms to remove blacklisted URLs better result in a big fat “NO.”

At least that is what the latest JupiterResearch report is suggesting.

First they lobby, then someone capitulates, and next thing you know, the technology has changed and nobody knows the better.

Is Wells Fargo opening a can of worms?

Wells Fargo is introducing anti-fraud alerts for its online banking customers, and I just have to wonder how long it will be until phishers are faking the same for less worthwhile (or more worthwhile, if you are the perp) causes.

Included in the bunch will be alerts when a suspicious access attempt (to accounts that is) is made, as well as notifications when transactions exceed a certain volume. While the latter might be helpful (as long as folks actually use it), the former sounds like a prime way for phishers to get access in the first place. It will be interesting to hear the hows and whys of what makes access suspicious – if Wells plans on tracking IP addresses and using cookies, I suspect the whole thing is going to be a big pain in the butt in our mobile/wireless, browser cookie blocking world.