Is it safe to share md5(cookie, some_string) with a third party service?

Question

Hi,

I need my users to authenticate against a third party service with the same cookie the use with my website.

Is it safe to share the md5(cookie, service_name) with the service, where service_name is a constant string that all the users will use.

To authenticate against the service a js function will do the md5 of the cookie on the client side and use it.

Is there a better and safer hashing to use or is md5 secure enough?

Do I need to base64 decode the cookie before doing the md5?

Thanks

Answer 1

There is little chance of reversing the hash to obtain the original cookie data so it is safe in that regard.

You could use SHA-1 hash instead however both are vulnerable to collision attacks, perhaps allowing an unauthorized attacker (who doesn't have the cookie) to gain access to the 3rd party service. I don't know how likely that would be.

As far as base64 decoding it, check and see if it is base64 encoded first.