Signed session cookies. A good idea?

Question

In an effort to increase performance, I was thinking of trying to eliminate a plain \'session cookie\', but encrypt all the information in the cookie itself.

A very

Answer 1

You should not reinvent the wheel. The session handler that comes with your development platform far is more secure and certainly easier to implement. Cookies should always be very large random numbers that links to server side data. A cookie that contains a user id and time stamp doesn't help harden the session from attack.

This proposed session handler is more vulnerable to attack than using a Cryptographic nonce for each session. An attack scenario is as follows.

It is likely that you are using the same secret for your HMAC calculation for all sessions. Thus this secret could be brute forced by an attacker logging in with his own account. By looking at his session id he can obtain everything except for the secret. Then the attacker could brute force the secret until the hmac value can be reproduced. Using this secret he can rebuild a administrative cookie and change his user_id=1, which will probably grant him administrative access.