TIP: Use Markdown or, <pre> for multi line code blocks / <code> for inline code.
These forums are read-only and for archival purposes only!
Please join our new forums at discourse.kohanaframework.org
Cookie salt
  • Why cookie helper salt cookie by default?

    Kohana is (like you said) light framework. For instance you deleted all security checks (ip, agent, owner etc) from session which was very good move! Please do the same with cookie helper, it should only set, get and delete cookies.
    If somebody need salt he should use cookie helper advanced methods or standard methods with other class.

    Second, is salting cookie really needed? We souldnt store sensitive data in cookie?

  • You don't need a Cookie helper to get/set/delete cookies. So it makes sense that if you're going to use a cookie helper it might as well do something useful. Frankly I don't see the problem of signing cookies, it makes perfect sense, and should have been part of how cookies work by default.

  • "Second, is salting cookie really needed? We souldnt store sensitive data in cookie?"

    @koham_kohane Signing the cookie with a salted hash is for integrity reasons, not for hiding sensitive data (it doesn't). It simply stops cookies being tampered with. If you do not need it use $_COOKIE and setcookie as @Akki hinted.

  • Cookie signing is standard a standard security practice among frameworks. AFAIK, Django really pioneered this practice and made it a must-have feature for some people.

    You should never store private data in cookies, period. As @DrPheltRight said, signing just ensures that a client cannot tamper with the cookie. Because PHP is stateless, the client has to re-identify with the server every request, and the best way to do that is with a signed cookie.

  • Ok you are right about signing cookie, but what do you think about the idea of using static property to disable salting?

    if Cookie::$salt == NULL then throw exception else if Cookie::$salt == FALSE then dont salt cookie else salt cookie

  • If you don't need salting, dont use the class.

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

In this Discussion