illustrate
1. The HTTP header transmitted by the cookie in the client browser is also in clear text. By encrypting cookies you can protect your application against numerous attacks such as
2. Divided into Cookie tampering and cross-application use of Cookies.
Cookie tampering: An attacker may try to guess other reasonable cookie values to attack the program.
Using cookies across applications: Improperly configured applications may have the same session storage, such as all sessions being stored in the /tmp directory by default. Cookies from one application may never be reused in another application, as long as the password is encrypted. The keys are different.
Example
suhosin.cookie.encrypt=On ;; the cryptkey should be generated, eg with 'apg -m 32' suhosin.cookie.cryptkey = oykBicmyitApmireipsacsumhylWaps1 suhosin.cookie.cryptua=On suhosin.cookie.cryptdocroot = On ;; whitelist/blacklist (use only one) ;suhosin.cookie.cryptlist = WALLET,IDEAS suhosin.cookie.plainlist = LANGUAGE ;; IPv4 only suhosin.cookie.cryptraddr = 0 suhosin.cookie.checkraddr = 0 Blocking Functions test ##The default PHP Session is saved in the tmp path ll -rt /tmp | grep sess ## Check the data of a certain sesson when the extension is not enabled cat sess_ururh83qvkkhv0n51lg17r4aj6 //The record is plain text ## After the extension is turned on, view the data of a certain sesson cat sess_ukkiiiheedupem8k4hheo0b0v4 //The record is the importance of visible encryption of ciphertext to security
The above is the method of configuring Cookie encryption in PHP. After you learn it, please try the practical operation as soon as possible.