Should I encrypt non-authentication cookies (i.e those that solely enhance the user experience)?

Question

I am implementing the use of cookies on my site. Some are user-authentication cookies (which I know it is important to encrypt), while others are simply to store user-specific data e.g. their display preferences. My question is this: these cookies are there to enhance the user experience and repeated trips to the server to decrypt these cookies obviously makes the user experience slower. Is there any reason why I should encrypt these cookies? If I neglect to do so the user has a much smoother experience with the reading of the cookies only occurring client-side. Thanks

Answer 1

You've asked a valid question with bad example. Non critical cookies don't need to be encrypted.

BUT For non critical cookies I cnsider language selection, page theme, favourite search etc. And they don't need to be encrypted because informations they transfer is not confidential. BUT it still means that those values should be checked, ie. not included directly in page content, not trusted implicitly because user can change their value.

As to user basket(I think it's pretty critical)... You should keep data in session and issue user a session cookie.... that's it. Or if you use a cookie, encrypt it, and check it's contents before making any decisions or operations on data recived from that or any cookie.

You have to remember that encrypting a cookie, does not necessarily mean that value cannot be changed, it means that it cannot be read, so you should always encrypt some context info, ie. username, time, id etc. and validate them after decryption.