File APIs for Java Developers
Manipulate DOC, XLS, PPT, PDF and many others from your application.
The moose likes Servlets and the fly likes Cookies in encrypted form Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Java » Servlets
Bookmark "Cookies in encrypted form" Watch "Cookies in encrypted form" New topic

Cookies in encrypted form

sridhar lakka
Ranch Hand

Joined: Jan 02, 2007
Posts: 109
Hi All,
Thanks in advance.
I am familiar in normal cookies like how to add the information into Cookie and how to retrive data from cookie, but user/client can change his/her information which is stored in cookie, to over come this problem I have encrypt cookie information, could any one please tell me how we can achieve this if possible with example code or related sites.
Do we have any limitation on cookie data like 20K some thing?

Ben Souther

Joined: Dec 11, 2004
Posts: 13410

The simplest rule of thumb is not to put anything sensitive in a cookie.

What are you trying to do?
There might be some better alternatives.

Java API J2EE API Servlet Spec JSP Spec How to ask a question... Simple Servlet Examples jsonf
kelby zorgdrager

Joined: Feb 05, 2008
Posts: 12
you might want to look explore how sites like amazon one click work.. simplistically, instead of putting direct sensitive data in the cookie, put a hashed unique client key.. in the code, grab the hashed client key, then look up the client's real information from the db using the client key

<a href="" target="_blank" rel="nofollow">J2EE Training / Java EE Training ... Learn Java EE </a>
sridhar lakka
Ranch Hand

Joined: Jan 02, 2007
Posts: 109
Thanks for your reply.
Could you please tell me the site address where I can get some example code or some useful information?
Can we store cookie value in encrypted format or not?

Ulf Dittmer

Joined: Mar 22, 2005
Posts: 42965
Several points in no particular order:
  • Ben's question is a good one: why store encrypted data on the client? If you're using cookies anyway, why not make them session cookies, and keep the secret data in a session on the server?
  • The cookie spec specifies what number and size of cookies clients SHOULD support, but that's not guaranteed.
  • Sure you can store encrypted data in cookies. The standard Java API for en-/decryption is called JCE. Note that encrypted data is binary in nature; in order to store it in cookies you'll need to encode it with something like base-64.

    I agree. Here's the link:
    subject: Cookies in encrypted form
    It's not a secret anymore!