How to prevent users from modifying cookie values

I am storing an ItemId value in a cookie to keep track of the users currently selected item. This ItemId is not sensitive data, I don't care if users can see the value. This value will need to be accessed on most pages, that was why the decision was made to keep the value in a cookie instead of the database. If it were in the db i wouldn't have this problem.

The problem is the user could modify that cookie ItemId to another users ItemId and they would then potentially be able to perform actions on someone else's item. That is unless I verify the cookie value against the database to make sure it is valid for the user logged in. Which means a hit to the db 开发者_如何转开发defeating the purpose of putting the value in a cookie.

Basically my question is how do I prevent the user from modifying the cookie or at least knowing it was modified? I know the .NET forms authentication cookie stores user id and role data, so they obviously have the same issue..

My initial thought was to encrypt the values in the cookie. I understand the cookie could still be hijacked, but would this at least prevent tampering its values?

Maybe I should have gone the db route instead?

Thanks.

The standard answer this "No data from the browser is trustworthy".

None.

verify the cookie value against the database to make sure it is valid for the user logged in.

Correct. That's the solution.

Which means a hit to the db defeating the purpose of putting the value in a cookie.

True on the DB hit, but irrelevant, since databases have cache.

The cookie, however, still has some value.

What you should do, however, is use a framework that maintains sessions and use the session to track this. Not a cookie you invented yourself.

The following two quotes from the OP contradict each other:

This ItemId is not sensitive data

And

The problem is the user could modify that cookie ItemId to another users ItemId and they would then potentially be able to perform actions on someone else's item.

The entire premise of your question is poor. I cannot tell you how to prevent the user from modifying cookie values because you should NEVER trust anything sent by the client. Always ASSUME that the client WILL modify cookie values ALL THE TIME. Anything else is just extremely poor design.

The only cookies you should use are:

• User Token - A random, multi-character (say 10-digit long) alphanumeric string that relates back to an actual User ID in the database.

• Authentication Token - A random, mult-character (say 100-digit long) alphanumeric string that, once hashed, must match the stored value for said User ID in the database.

• View preference cookies - Little cookies that don't matter, such as selecting what CSS theme to serve to the client, or whether the presented data should be sorted A-Z or Z-A, etc. Stuff that doesn't matter if it's cleared and has no significant bearing on the client or any other user.

P.S. Do not worry about "hitting" the database on each page load. That's what databases are designed for. I can't think of even one modern professional website that doesn't query a database for each page view.

If you're ever worried about cookie values being tampered with, then I would consider it sensitive enough to, at the minimum, be encrypted.

Get yourself a key, initialization vector and encrypt that cookie before sending it to the client. Your only other option is a database, but you will still need to some other method of uniquely identifying a user (read: membership provider)

I decided to use an MD5 hash to verify user did not tamper with the cookie values.