Open anonymous-matomo-user opened 11 years ago
Attachment: Patch created against master commitpoint 6257f0655ae8fc8ca6b99f700783f3d0f18dbf35 cookie_encryption.patch
For Piwik 2.0, it might be easier to simply drop our setcookie wrapper and advise users to use Suhosin's built-in cookie encryption.
@vipsoft, Suhosin is dead. There hasn't been any release for PHP 5.4 nor 5.5 and there most likely will never be any.
Hi,
this is my first time I open such a ticket, so I apologize if I make any mistakes here.
Like discussed in the forum, I suggest to implement the option to encrypt cookie content to solve two non trivial security issues. The first is to prevent users from manipulate the cookie content and the second is for better cooperation with security tools like Mod-Security.
For this purpose I try to implement a blowfish class to transparently encrypt everything you like. Find my patchfile attached to this ticket.
By now I need help and someone who have a deeper understanding what piwik does internally. So here is my first try.
Keywords: blowfish, cookie encryption