Authenticate system without sessions - Only cookies - Is this reasonably secure?

Question

I\'m interested in your advice/opinion on this security problem.

I was thinking on doing something like this:

1. Get hash MAC (sha256) from string built from

Answer 1

@Marko A few comments about how secure this kind of "session in a cookie" approach is:

First of all, as said by others as well, you need a secure connection. There is no realiable way around this requirement. It is a must.

Other than that, there are quite a few pitfalls regarding to implement a secure encryption/authentication system. For example you need to make the MAC verification "constant-time", you need to pay attention how do you implement the encryption/authentication (mode of operation, IV creation etc.). And so on.

If you are unsure about such issues, I recommend you to take a look at TCrypto (which I maintain):

TCrypto

It is a small PHP 5.3+ key-value storage library (cookies will be used as a storage backend by default). Designed exactly for (scalable) "session in a cookie" usage. Feel free to use it :) Also, if you are interested about the low-level implementation, take a look at the code. The codebase is not that huge, I guess it would do quite well, demonstrating encryption related code usage in PHP applications.