Are there any best practices for securely storing sensitive information in PHP cookies?

Sensitive information should never be stored directly in PHP cookies as they can be easily accessed by users. Instead, it is recommended to encrypt the sensitive data before storing it in a cookie. One common approach is to use PHP's built-in encryption functions like `openssl_encrypt` and `openssl_decrypt` to securely encrypt and decrypt the data. 

// Encrypt sensitive information before storing in a cookie
function encryptData($data, $key) {
    $cipher = "AES-256-CBC";
    $ivlen = openssl_cipher_iv_length($cipher);
    $iv = openssl_random_pseudo_bytes($ivlen);
    $ciphertext = openssl_encrypt($data, $cipher, $key, 0, $iv);
    return base64_encode($iv . $ciphertext);
}

// Decrypt sensitive information from a cookie
function decryptData($data, $key) {
    $cipher = "AES-256-CBC";
    $data = base64_decode($data);
    $ivlen = openssl_cipher_iv_length($cipher);
    $iv = substr($data, 0, $ivlen);
    $ciphertext = substr($data, $ivlen);
    return openssl_decrypt($ciphertext, $cipher, $key, 0, $iv);
}

// Example usage
$key = "secret_key_here";
$sensitiveData = "example_sensitive_data";
$encryptedData = encryptData($sensitiveData, $key);

// Store encrypted data in a cookie
setcookie("encrypted_data", $encryptedData, time() + 3600, "/");

// Retrieve and decrypt sensitive data from the cookie
if(isset($_COOKIE["encrypted_data"])) {
    $decryptedData = decryptData($_COOKIE["encrypted_data"], $key);
    echo "Decrypted data: " . $decryptedData;
}

Keywords

encryption secure cookies PHP hashing session management

Related Questions