A few questions about encrypting cookies

Hello.I have some questions about cookies and encryption but couldn’t find what I was looking for.

  1. What are best practices for generating an encryption salt for cookies? Can it be hardcoded like the signing_salt (in the Plug.Session config in endpoint.ex) or does it need to be dynamically generated?

  2. Using the default algorithm and key length, what kind of performance impact should be expected when changing cookies to encrypted? I found a comment by Jose in the Rails repo from back in 2012 where he says he is not “pleased with the overhead of encrypting cookies by default” which implies that it must be significant or at least noticeable. Is there an easy way to set up benchmarking and measure it?

  3. What are the considerations for existing cookies out in the wild when going from unencrypted to encrypted cookies? Based on my testing they seem to just get invalidated (which is expected) – should I expect any error messages? Most importantly: is there a way to do this without forcing all users to essentially log out and back in?

1 Like

The encryption salt is used to derive an encryption key from the master secret. As long as your master secret is kept safe, the various salts just have to be different, to ensure each use-case produces its own key.

Like most performance questions it is hard to quantify this in generic terms, Much of it depends on the performance of the rest of your app, and whether it is CPU or I/O bound. In an application that spends a lot of time waiting to talk to the DB or filesystem, the CPU may be free to spend a couple of extra cycles on crypto operations. The only way to be sure is to measure.

I don’t think there is an easy way. If you really, really want it, I guess you’d have to write your own session store to be selected using the :store option, and just delegate everything to Plug.Session.COOKIE except get/3 which would inspect the shape of the session cookie value and sets/clears :encryption_salt in the options accordingly before invoking Plug.Session.COOKIE.get/3

1 Like