Secure Cookie

Kazi Manzur Rashid — Thu, 18 Jan 2007 17:20:00 GMT

This my second post of almost same topic asp.net lacking. This time it is Cookie. Still Asp.net has the lacking of creating encrypted cookie. Here is another handy class which generates encrypted cookie.

Usage:

//Writing Cookie
SecureCookie.Set(Response, "Key1", "Value1", DateTime.Now.AddDays(1));
SecureCookie.Set(Response, "Key1", "Value1"); //Overloaded

//Reading Cookie
string key1Value = SecureCookie.Get(Request, "Key1");

SecureCookie:

using System;
using System.IO;
using System.Text;
using System.Web;
using System.Web.UI;
using System.Diagnostics;
using System.Security.Cryptography;


public sealed class SecureCookie
{
    //Rijndael Key size is 256 bit or 32 byte, Can also be mentioned in web.config instead of hardcoding
    private static readonly byte[] Key = new byte[] {45, 236, 171, 7, 85, 6, 41, 34, 216, 14, 78, 156, 78, 3, 103, 154, 9, 150, 65, 54, 226, 95, 68, 79, 159, 36, 246, 57, 177, 107, 116, 8};

    [DebuggerStepThrough()]
    public static void Set(HttpResponse response,
    string key,
    string value,
    DateTime expire)
    {
        HttpCookie cookie = new HttpCookie(HttpUtility.UrlEncode(Encrypt(key)), HttpUtility.UrlEncode(Encrypt(value)));

        if ((expire != DateTime.MinValue) && (expire != DateTime.MaxValue))
        {
            cookie.Expires = expire;
        }

        response.Cookies.Set(cookie);
    }

    [DebuggerStepThrough()]
    public static void Set(HttpResponse response,
    string key,
    string value)
    {
        Set(response, key, value, DateTime.MaxValue);
    }

    [DebuggerStepThrough()]
    public static string Get(HttpRequest request, string key)
    {
        HttpCookie cookie = request.Cookies[HttpUtility.UrlEncode(Encrypt(key))];

        if (cookie == null)
        {
            return null;
        }

        if ((cookie.Value == null) || (cookie.Value.Length == 0))
        {
            return null;
        }

        string value = HttpUtility.UrlDecode(cookie.Value);

        return Decrypt(value);
    }

    [DebuggerStepThrough()]
    private static string Encrypt(string plain)
    {
        if ((plain == null) || (plain.Length == 0))
        {
            return null;
        }

        using(SymmetricAlgorithm crypto = CreateCrypto())
        {
            return System.Convert.ToBase64String(Read(crypto.CreateEncryptor(), Encoding.ASCII.GetBytes(plain)));
        }
    }

    [DebuggerStepThrough()]
    private static string Decrypt(string cipher)
    {
        if ((cipher == null) || (cipher.Length == 0))
        {
            return null;
        }

        using(SymmetricAlgorithm crypto = CreateCrypto())
        {
            return Encoding.ASCII.GetString(Read(crypto.CreateDecryptor(), System.Convert.FromBase64String(cipher)));
        }
    }

    [DebuggerStepThrough()]
    private static SymmetricAlgorithm CreateCrypto()
    {
        //Using Rijndael as it is much more secure among the others
        SymmetricAlgorithm crypto = new RijndaelManaged();

        crypto.Key = Key;
        crypto.IV = new byte[crypto.IV.Length];

        return crypto;
    }

    [DebuggerStepThrough()]
    private static byte[] Read(ICryptoTransform transformer,
    byte[] data)
    {
        using(MemoryStream ms = new MemoryStream())
        {
            using(CryptoStream cs = new CryptoStream(ms, transformer, CryptoStreamMode.Write))
            {
                cs.Write(data, 0, data.Length);
                cs.FlushFinalBlock();

                return  ms.ToArray();
            }
        }
    }
}

My First Article

Kazi Manzur Rashid — Sat, 13 Jan 2007 18:14:00 GMT

Recently I wrote an article "How to exchange data securely with a WebService without HTTPS/SSL" in codeproject. If Cryptography, Public/Private Key, Digital Signature and Web Service are one of your interest, I strongly recommend to read it.