0

I'm looking for an two-way encryption algorithm to encode an array as a string, so that I can securely store some data in a cookie. The algorithm shouldn't just implode the array, I want it to be obfuscated too. My data contains all printable characters.

A link to something would be sufficient, I just can't seem to dig anything up on Google. Maybe I should just implode the array with some obscure character, and then encrypt it somehow? I'm not sure what method to encrypt it with though... it doesn't have too secure, the cookie data isn't that sensitive.

Oh... yeah, the encryption algorithm should let me use a key/salt. mcrypt_encrypt seems to be giving back messy long results, but perhaps I'm not using the right cipher. Which is the simplest cipher (produces short clean strings)?

Improve this question
4
  • 1
    Dont store encrypted data in cookies. If you have to share data between 2 web sites, store an id in the cookie and have the other web site request the data with username and password (using curl). Commented May 7, 2009 at 22:48
  • All I'm storing is an id, and a key, so that users can't forge the cookie. I'm obfuscating it just for good measure, so they don't even know what I'm storing. Commented May 7, 2009 at 23:13
  • Obfuscation and encryption are totally different. Which do you want? Commented May 8, 2009 at 4:50
  • Well, I prefer encryption, but not if it's going to be costly to execute, or a pain in the butt to implement. Commented May 8, 2009 at 8:43

7 Answers 7

Reset to default
11

serialize() will get your information from an array to a string - and you could pass it through base64_encode() if you just want obfuscation - but not security.

If you want some security - look into mcrypt and blowfish: blowfish example

Regarding mcrypt

Warning This function has been DEPRECATED as of PHP 7.1.0. Relying on this function is highly discouraged.

Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

I know this is an old question, and an old answer, but just as a suggestion to any fellow searchers that come across this, you may want to consider using PHP's OpenSSL Functions instead of the blowfish example linked to in this answer. OpenSSL adds built-in support for a lot of encryption algorithms (which include Blowfish and AES). Also, while security wasn't a huge concern for the OP, AES is generally considered to be more secure than Blowfish, so it is the preferable choice.
9

Based on gnarf's answer, this should do the trick:

function encode_arr($data) {
    return base64_encode(serialize($data));
}

function decode_arr($data) {
    return unserialize(base64_decode($data));
}

Just in case anyone else wants a copy-and-paste solution.

Improve this answer

Comments

4

Use serialize() to convert the array to a string and unserialize() to turn it back into an array. It's far superior to implode and manual parsing. For simple obfuscation (which any programmer can see through) you can use simple base64 encoding, but you should really look into the mcrypt library to provide some real security.

The best thing would probably be to not store the array in a cookie at all. Store the array in a session variable instead so that all the user ever sees is a session ID. Of course this only works if you need the array just for the duration of the session.

You say in your comment that this is for a "remember me" cookie, so this is about authentication. In that case, don't store anything sensitive in the array. Just store a salted hash instead and use that. For example, your cookie could contain the username and a salted hash of (database password hash + ip address range). When the user comes on the site, read the cookie and construct the hash from the information in your database. If it matches the hash in the cookie, log him in automatically. If not, delete the cookie and pretend it never existed.

This way no sensitive data is stored in the cookie and you don't need to encrypt it.

Improve this answer

1 Comment

which is not the case :) I'm using it for a 'remember me' cookie.
2

I'd just implode then encrypt using Blowfish or (for so-so security) DES or something...

Improve this answer

5 Comments

$str = implode('abc', array('1','2','3')); // $str => "1abc2abc3"
Thanks... didn't even think it was an actual function name or I would have searched for it! Figured it was some complex scheme I hadn't heard of...
Imploding is a really bad idea. If any element of the array contains the same "glue" you're using to implode, you'll have problems when you try to explode the string back into an array.
that's what I was worried about Seb.. which is why I was trying to use some stupid character like "\x1F".
Try serialize(), that's what I use all the time; it works great ;)
1

If security doesn't matter use JSON to encode the array and then rot13 the string ;-)

Improve this answer

3 Comments

If security doesn't matter, why bother with encryption?
@TwentyMiles because the question initially mentioned that :-)
It's not a big concern because I'm taking other security measures too which should be pretty darn hard to get around as is. Plus, I'm not storing any confidential information on my website anyway... in fact, I'm not storing much more than a user_id.
0

Try XOR-ing all of the elements in the array store the resulting char in the string -- the the same in reverse to decrypt.

Improve this answer

Comments

0

If it doesn't need to be secure either plain base64, or rot13, might be worth looking at.

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.