Successfully Locking Down Cookies

Question

Whilst in the process of overhauling some of a supported sites security, the subject of Cookies have came into my head & The logic behind correctly locking them down client-sided to avoid as little changes/malicious changes as possible.

About the site: The site I work on uses both sessions and cookies for user experience. The session handling a majority of the data, but cookies to provide support for Sessions, such as Auto logging in. Holding minimalistic user data (nothing sensitive). But Cookies are stored on the client machines and can be modified client sided.

I'm aware that there is session tokens, methods involving databases to assist in the locking down of cookies.. But, is there a successful method to protect then on client-sided? as For an aspect of security. I have introduced a form of Encryption on a majority of the database & Had the idea to use this on cookies and Decrypt server-sided, so the cookie can be stored encrypted on the clients machine. Holding data, without the worry... But, is this going out of the way a little bit and there might be a more simple option rather than changing a cookie mechanic to head through a function to handle the decryption/manipulation?

Answer 1

Avoid storing sensitive data in cookies, even in encrypted form — there are still ways that it can be tampered with. In particular, even if your encryption scheme is not malleable, it is still likely possible for a user to save and restore cookies that your application tried to overwrite, effectively "rolling back" the value of the data that they stored.

Use server-side sessions to store any data that the client should not be able to view or modify.