tags:

views:

468

answers:

7

I'm looking for an two-way encryption algorithm to encode an array as a string, so that I can securely store some data in a cookie. The algorithm shouldn't just implode the array, I want it to be obfuscated too. My data contains all printable characters.

A link to something would be sufficient, I just can't seem to dig anything up on Google. Maybe I should just implode the array with some obscure character, and then encrypt it somehow? I'm not sure what method to encrypt it with though... it doesn't have too secure, the cookie data isn't that sensitive.

Oh... yeah, the encryption algorithm should let me use a key/salt. mcrypt_encrypt seems to be giving back messy long results, but perhaps I'm not using the right cipher. Which is the simplest cipher (produces short clean strings)?

A: 

If security doesn't matter use JSON to encode the array and then rot13 the string ;-)

lothar
If security doesn't matter, why bother with encryption?
TwentyMiles
@TwentyMiles because the question initially mentioned that :-)
lothar
It's not a big concern because I'm taking other security measures too which should be pretty darn hard to get around as is. Plus, I'm not storing any confidential information on my website anyway... in fact, I'm not storing much more than a user_id.
Mark
A: 

Try XOR-ing all of the elements in the array store the resulting char in the string -- the the same in reverse to decrypt.

Nate Bross
A: 

if it doesn't need to be secure, plain base64 or rot13 might be worth looking at.

Fredrik
+1  A: 

I'd just implode then encrypt using Blowfish or (for so-so security) DES or something...

David Zaslavsky
Implode the array? Explanation or link? thx...
JPhi1618
@JPhi1618 http://ca3.php.net/manual/en/function.implode.php
Mark
$str = implode('abc', array('1','2','3')); // $str => "1abc2abc3"
Thanks... didn't even think it was an actual function name or I would have searched for it! Figured it was some complex scheme I hadn't heard of...
JPhi1618
Imploding is a really bad idea. If any element of the array contains the same "glue" you're using to implode, you'll have problems when you try to explode the string back into an array.
Seb
that's what I was worried about Seb.. which is why I was trying to use some stupid character like "\x1F".
Mark
Try serialize(), that's what I use all the time; it works great ;)
Seb
+6  A: 

serialize() will get your information from an array to a string - and you could pass it through base64_encode() if you just want obfuscation - but not security.

If you want some security - look into mcrypt and blowfish: blowfish example

gnarf
didn't know about serialize(), thanks!
Mark
+3  A: 

Use serialize() to convert the array to a string and unserialize() to turn it back into an array. It's far superior to implode and manual parsing. For simple obfuscation (which any programmer can see through) you can use simple base64 encoding, but you should really look into the mcrypt library to provide some real security.

The best thing would probably be to not store the array in a cookie at all. Store the array in a session variable instead so that all the user ever sees is a session ID. Of course this only works if you need the array just for the duration of the session.

You say in your comment that this is for a "remember me" cookie, so this is about authentication. In that case, don't store anything sensitive in the array. Just store a salted hash instead and use that. For example, your cookie could contain the username and a salted hash of (database password hash + ip address range). When the user comes on the site, read the cookie and construct the hash from the information in your database. If it matches the hash in the cookie, log him in automatically. If not, delete the cookie and pretend it never existed.

This way no sensitive data is stored in the cookie and you don't need to encrypt it.

Sander Marechal
which is not the case :) I'm using it for a 'remember me' cookie.
Mark
+1  A: 

Based on gnarf's answer, this should do the trick:

function encode_arr($data) {
 return base64_encode(serialize($data));
}

function decode_arr($data) {
 return unserialize(base64_decode($data));
}

Just in case anyone else wants a copy-and-paste solution.

Mark