In web development, when session state is enabled, a session id is stored in cookie(in cookieless mode, query string will be used instead). In asp.net, the session id is encrypted automatically. There are plenty of topics on the internet regarding how you should encrypt your cookie, including session id. I can understand why you want to encrypt private info such as DOB, but any private info should not be stored in cookie at first place. So for other cookie values such as session id, what is the purpose encryption? Does it add security at all? no matter how you secure it, it will be sent back to server for decryption.
Be be more specific,
For authentication purpose,
- turn off session, i don't want to deal with session time out any more
- store some sort of id value in the cookie,
- on the server side, check if the id value exists and matches, if it is, authenticate user.
- let the cookie value expire when browser session is ended, this way.
vs
Asp.net form authentication mechanism (it relies on session or session id, i think)
does latter one offer better security?