Reputation: 254
Should cookie encryption key be unique?
Plese advice whether it is ok to have one encryption key stored somewhere which will be used to encrypt cookies for all users, and in this case the key probably will be rarely changed. Or the key should be unique for each user or session ?
Thanks in advance.
Upvotes: 0
Views: 200
Answers (1)
Reputation: 94038
Yes, you can reuse keys for ciphers. However, you must then make sure that your ciphertext is properly randomized by providing a nonce or IV according to the mode in which the cipher is used. There may also be bounds on how many times the key can be used, but generally those numbers are relatively high. Again, this depends on the cipher scheme being used.
This is a direct answer, I agree with the comment that storing ciphertext in a cookie may not be what you ultimately need.
Upvotes: 1
Related Questions
- in a website, setting one cookie is better than setting many single cookies?
- Should session id be encrypted in cookie?
- Key Value pair for cookies
- Does it make sense to set EXACTLY the same cookie in the response as came in the request?
- Is it bad practice for a cookie to hold more than one value=key pair? Not including expires
- Cookie name length, uniqueness
- Which cookie attributes uniquely identify a cookie?
- Why Cookie is the only way to know the number of users
- One cookie with many values or many cookies with one value?
- Securing Cookie Based Authentication