Encrypting Data in Cookies and Session Variables
I'm not a big fan of storing a lot of information in cookies and session variables (and even less so if the information is sensitive), but sometimes for any number of reasons you gotta' stash the info somewhere, and cookies and session variables fit the bill. If you have to do this, make sure the information is encrypted. Cookies are stored as raw text files on the user's PC, which can be opened with Notepad or even searched with any number of tools. Session variables, while stored on the server only for the lifetime of the session (hence are more secure), are not 100% secure.
The important issue with storing data in cookies or session variables is that the encryption must be reversible--that is, you must be able to encrypt the data to protect it, and then decrypt the data to use it, and probably encrypt it again after some modification. And so on.
So if you have to use cookies to persist data, or sessions to carry information, be responsible with the data and encrypt it. Here are a few references and tools I have collected:
Encrypting Cookie Data with ASP.NET (15 Seconds)
If you have never seen the voluminous quantity of cookie data on your machine, try the following. Open Internet Explorer, select Tools and then Internet Options from the menu. From the Internet Options dialog click the Settings button. Then on the Settings dialog click View Files. An Explorer window will display all the cached data your browser has kindly filled your hard drive with. Sort the list alphabetically, then scroll down to the Cs. (C is for "Cookie" :)) On my machine, there are currently 1,850 cookie files.
So, here is some advice - don't store sensitive data about users in cookies. If you must, then you have a responsibility to protect that data through encryption.
Encryption/Decryption with .NET (The Code Project)
The System.Security.Cryptographic namespace within the Microsoft .NET Framework provides a variety of tools to aid in encryption and decryption. The CryptoStream class is used here to demonstrate the encryption and decryption with System.Security.Cryptographic.SymmetricAlgorithm, such as DESCryptoServiceProvider, RC2CryptoServiceProvider, and RijndaelManaged classes.
Building Secure ASP.NET Applications (Microsoft PAG - PDF Download)
One of the sections of the huge (600+ page) document discusses DPAPI, a reversible encryption method that is machine specific. This is a must-read for a bunch of other reasons, and also provides a nice segue for the next entry.
DPAPI Helper Library (Franklins.net)
Carl Franklin saved us from building that horrendous “simple DPAPI library” in the above article, with a very simple assembly you can drop into any project and use right away. Carl also has a blog entry on this helper library: http://weblogs.asp.net/cfranklin/archive/2004/03/18/91746.aspx. Read the above article to fully appreciate this contribution.
NCrypto (SourceForge)
So you need some crypto stuff (easy to use and ready for shipping) and don’t have enough time or interest in learning and writing all that crypto code?
Cryptography in .NET (The Code Project)
The cryptography, before the arrival of .NET, was meant to use the Unmanaged Win32 APIs which was very obscure way to encrypt or decrypt the data. .NET provides a set of classes (and actually a complete namespace) for the subject. Now you have a number of classes using different pre defined algorithms which can help you to secure your data using cryptography. In .NET, there are three types of cryptography defined under the tree of Cryptography namespace. Those are AsymmetricAlgorithm, SymmetricAlgorithm and HashAlgorithm. All these three classes (and also types of cryptography in .NET) are abstract classes. We are going to discuss SymmetricAlgorithm in this article.