Safer Cookies

Encrypt or use Hash client side data (Cookies/Form hiddens).

Setting Cookie with Hash

        
              $server_side_salt = 'random
              string';
            
              $cookie_hash = sha1 ($user_id . $server_side_salt);
            
              setcookie ('MYSITE', $user_id . ':' . $cookie_hash);

HTTP Headers

Cookie: MYSITE=23:5ae4cea15a227e781846203737cba11c

Validating

        
              list ($cookie, $cookie_hash) = explode (':', $_COOKIE['MYSITE']);
            
              if (sha1 ($cookie
              . $server_side_salt) !==
              $cookie_hash) {
            
                  // Invalid cookie.
            
                  exit; //
              or error
            
              }

Regarding SHA1 and its integrity
http://www.schneier.com/blog/archives/2005/02/cryptanalysis_o.html
http://en.wikipedia.org/wiki/SHA_hash_functions

Penguicon 2006

PHP Aplication Security

Safer Cookies

Safer Cookies