Secure/Encrypted cookies in ASP.NET with System.Cryptography

In today's world one cant transmit a digital syllable without some kind of protective wrapper around it. Us Neos of the binary world have always struggled with proper cipher methods to do so.

In other words, beginners always have had difficulty in implementing a reliable yet flexible method for securing cookies. I have used the following code often and I am sure this will help anyone looking for a quick-fix solution to secure cookies.

The basic architecture is to create static methods to which you pass a cookie and get a encrypted version in return. It also conveniently retrieves the Algorithm to use as well as the key to encrypt/decrypt from the web.config file and can be adapted to retrieve/generate the key in other ways.

Step 1: Start off with our class.

1.  using System.Security.Cryptography; //and other...    
2.      
3.  public class Security    
4.  {    
5.      //If you dont want ur methods to be static then use this and  instantiate an object before use     
6.      //byte[] Key;    
7.      //string AlgorithmName;    
8.      
9.      public Security()    
10.      {    
11.          //If you dont want ur methods to be static then use this    
12.          //char[] chars = { ',' };    
13.          //string[] splits = ConfigurationManager.AppSettings["CookieSecurityKey"].Split(chars);    
14.          //AlgorithmName = splits[0];    
15.          //Key = new byte[Int32.Parse(splits[1])];// = KEY_64;    
16.          //for (int i = 2; i < Key.Length + 2; i++)    
17.          //  Key[i - 2] = byte.Parse(splits[i].Trim());             
18.      }    
19. ...    

 using System.Security.Cryptography; //and other...  
   
 public class Security  
 {  
     //If you dont want ur methods to be static then use this and  instantiate an object before use   
     //byte[] Key;  
     //string AlgorithmName;  
   
     public Security()  
     {  
         //If you dont want ur methods to be static then use this  
         //char[] chars = { ',' };  
         //string[] splits = ConfigurationManager.AppSettings["CookieSecurityKey"].Split(chars);  
         //AlgorithmName = splits[0];  
         //Key = new byte[Int32.Parse(splits[1])];// = KEY_64;  
         //for (int i = 2; i < Key.Length + 2; i++)  
         //  Key[i - 2] = byte.Parse(splits[i].Trim());           
     }  
...  

You can store the key/algoritm name in the web.config like this:

1. <appsettings>  
2.     <!--First Item - algo name, second item - key size, third till end - key values-->  
3.     <!--Possible Algorithms(valid key sizes) - DES(8), TripleDES(16,24), RC2(5,16), Rijndael(16,24,32)-->  
4.     <!--Example: <add key ="CookieSecurityKey" value="RC2, 55, 2, 66, 23, 16, 118">-->  
5.     <add key="CookieSecurityKey" value="DES, 8, 91, 161, 38, 16, 7, 24, 28, 222"></add>  
6. </appsettings>  

Step 2: Create the basic methods that encode/decode a piece of string

20. public static string Encode(string value, Byte[] key, string AlgorithmName)  
21. {  
22.  // Convert string data to byte array  
23.  byte[] ClearData = System.Text.Encoding.UTF8.GetBytes(value);  
24.   
25.  // Now create the algorithm from the provided name  
26.  SymmetricAlgorithm Algorithm = SymmetricAlgorithm.Create(AlgorithmName);  
27.  Algorithm.Key = key; //you can apply your own key mechs here  
28.  MemoryStream Target = new MemoryStream();  
29.   
30.  // Generate a random initialization vector (IV), helps to prevent brute-force  
31.  Algorithm.GenerateIV();  
32.  Target.Write(Algorithm.IV, 0, Algorithm.IV.Length);  
33.   
34.  // Encrypt information  
35.  CryptoStream cs = new CryptoStream(Target, Algorithm.CreateEncryptor(), CryptoStreamMode.Write);  
36.  cs.Write(ClearData, 0, ClearData.Length);  
37.  cs.FlushFinalBlock();  
38.   
39.  // Convert the encrypted stream back to string  
40.  return Convert.ToBase64String(Target.GetBuffer(), 0, (int)Target.Length);  
41. }  
42.   
43. public static string Decode(string value, Byte[] key, string AlgorithmName)  
44. {  
45.  // Convert string data to byte array  
46.  byte[] ClearData = Convert.FromBase64String(value);  
47.   
48.  // Create the algorithm  
49.  SymmetricAlgorithm Algorithm = SymmetricAlgorithm.Create(AlgorithmName);  
50.  Algorithm.Key = key;  
51.  MemoryStream Target = new MemoryStream();  
52.   
53.  // Read IV and initialize the algorithm with it  
54.  int ReadPos = 0;  
55.  byte[] IV = new byte[Algorithm.IV.Length];  
56.  Array.Copy(ClearData, IV, IV.Length);  
57.  Algorithm.IV = IV;  
58.  ReadPos += Algorithm.IV.Length;  
59.   
60.  // Decrypt information  
61.  CryptoStream cs = new CryptoStream(Target, Algorithm.CreateDecryptor(), CryptoStreamMode.Write);  
62.  cs.Write(ClearData, ReadPos, ClearData.Length - ReadPos);  
63.  cs.FlushFinalBlock();  
64.   
65.  // Get the bytes from the memory stream and convert them to text  
66.  return System.Text.Encoding.UTF8.GetString(Target.ToArray());  
67. }  

public static string Encode(string value, Byte[] key, string AlgorithmName)
{
 // Convert string data to byte array
 byte[] ClearData = System.Text.Encoding.UTF8.GetBytes(value);

 // Now create the algorithm from the provided name
 SymmetricAlgorithm Algorithm = SymmetricAlgorithm.Create(AlgorithmName);
 Algorithm.Key = key; //you can apply your own key mechs here
 MemoryStream Target = new MemoryStream();

 // Generate a random initialization vector (IV), helps to prevent brute-force
 Algorithm.GenerateIV();
 Target.Write(Algorithm.IV, 0, Algorithm.IV.Length);

 // Encrypt information
 CryptoStream cs = new CryptoStream(Target, Algorithm.CreateEncryptor(), CryptoStreamMode.Write);
 cs.Write(ClearData, 0, ClearData.Length);
 cs.FlushFinalBlock();

 // Convert the encrypted stream back to string
 return Convert.ToBase64String(Target.GetBuffer(), 0, (int)Target.Length);
}

public static string Decode(string value, Byte[] key, string AlgorithmName)
{
 // Convert string data to byte array
 byte[] ClearData = Convert.FromBase64String(value);

 // Create the algorithm
 SymmetricAlgorithm Algorithm = SymmetricAlgorithm.Create(AlgorithmName);
 Algorithm.Key = key;
 MemoryStream Target = new MemoryStream();

 // Read IV and initialize the algorithm with it
 int ReadPos = 0;
 byte[] IV = new byte[Algorithm.IV.Length];
 Array.Copy(ClearData, IV, IV.Length);
 Algorithm.IV = IV;
 ReadPos += Algorithm.IV.Length;

 // Decrypt information
 CryptoStream cs = new CryptoStream(Target, Algorithm.CreateDecryptor(), CryptoStreamMode.Write);
 cs.Write(ClearData, ReadPos, ClearData.Length - ReadPos);
 cs.FlushFinalBlock();

 // Get the bytes from the memory stream and convert them to text
 return System.Text.Encoding.UTF8.GetString(Target.ToArray());
}

Note: there methods are static so that you can use them directly from code without the additional line to create an object.

Step 3: Create the methods that encode/decode the cookie

68. public static HttpCookie EncodeCookie(HttpCookie cookie)    
69. {    
70.     if (cookie == null) return null;    
71.     
72.     //get key and algorithm from web.config/appsettings    
73.     //Comment this section if you do now what this method to be static    
74.     char[] chars = { ',' };    
75.     string[] splits = ConfigurationManager.AppSettings["CookieEncodingKey"].Split(chars);    
76.     string AlgorithmName = splits[0];    
77.     byte[] Key = new byte[Int32.Parse(splits[1])];// = KEY_64;    
78.     for (int i = 2; i < Key.Length + 2; i++)    
79.       Key[i - 2] = byte.Parse(splits[i].Trim());    
80.     
81.     HttpCookie eCookie = new HttpCookie(cookie.Name);    
82.     
83.     for (int i = 0; i < cookie.Values.Count; i++)    
84.     {    
85.         string value = HttpContext.Current.Server.UrlEncode(Encode(cookie.Values[i], Key, AlgorithmName));    
86.         string name = HttpContext.Current.Server.UrlEncode(Encode(cookie.Values.GetKey(i), Key, AlgorithmName));  
87.         eCookie.Values.Set(name, value);    
88.     }    
89.     return eCookie;    
90. }    
91.     
92. public static HttpCookie DecodeCookie(HttpCookie cookie)    
93. {    
94.     if (cookie == null) return null;    
95.     
96.     //Comment this section if you do now what this method to be static    
97.     char[] chars = { ',' };    
98.     string[] splits = ConfigurationManager.AppSettings["CookieEncodingKey"].Split(chars);    
99.     string AlgorithmName = splits[0];    
100.     byte[] Key = new byte[Int32.Parse(splits[1])];// = KEY_64;    
101.     for (int i = 2; i < Key.Length + 2; i++)    
102.       Key[i - 2] = byte.Parse(splits[i].Trim());    
103.     
104.     HttpCookie dCookie = new HttpCookie(cookie.Name);    
105.     
106.     for (int i = 0; i < cookie.Values.Count; i++)    
107.     {    
108.         string value = Decode(HttpContext.Current.Server.UrlDecode(cookie.Values[i]), Key, AlgorithmName);    
109.         string name = Decode(HttpContext.Current.Server.UrlDecode(cookie.Values.GetKey(i)), Key, AlgorithmName);    
110.         dCookie.Values.Set(name, value);    
111.     }    
112.     return dCookie;    
113. }  

public static HttpCookie EncodeCookie(HttpCookie cookie)  
{  
    if (cookie == null) return null;  
  
    //get key and algorithm from web.config/appsettings  
    //Comment this section if you do now what this method to be static  
    char[] chars = { ',' };  
    string[] splits = ConfigurationManager.AppSettings["CookieEncodingKey"].Split(chars);  
    string AlgorithmName = splits[0];  
    byte[] Key = new byte[Int32.Parse(splits[1])];// = KEY_64;  
    for (int i = 2; i < Key.Length + 2; i++)  
      Key[i - 2] = byte.Parse(splits[i].Trim());  
  
    HttpCookie eCookie = new HttpCookie(cookie.Name);  
  
    for (int i = 0; i < cookie.Values.Count; i++)  
    {  
        string value = HttpContext.Current.Server.UrlEncode(Encode(cookie.Values[i], Key, AlgorithmName));  
        string name = HttpContext.Current.Server.UrlEncode(Encode(cookie.Values.GetKey(i), Key, AlgorithmName));
        eCookie.Values.Set(name, value);  
    }  
    return eCookie;  
}  
  
public static HttpCookie DecodeCookie(HttpCookie cookie)  
{  
    if (cookie == null) return null;  
  
    //Comment this section if you do now what this method to be static  
    char[] chars = { ',' };  
    string[] splits = ConfigurationManager.AppSettings["CookieEncodingKey"].Split(chars);  
    string AlgorithmName = splits[0];  
    byte[] Key = new byte[Int32.Parse(splits[1])];// = KEY_64;  
    for (int i = 2; i < Key.Length + 2; i++)  
      Key[i - 2] = byte.Parse(splits[i].Trim());  
  
    HttpCookie dCookie = new HttpCookie(cookie.Name);  
  
    for (int i = 0; i < cookie.Values.Count; i++)  
    {  
        string value = Decode(HttpContext.Current.Server.UrlDecode(cookie.Values[i]), Key, AlgorithmName);  
        string name = Decode(HttpContext.Current.Server.UrlDecode(cookie.Values.GetKey(i)), Key, AlgorithmName);  
        dCookie.Values.Set(name, value);  
    }  
    return dCookie;  
}

At this point you have the basis setup and you can use the class in your code.

Encoding Example:

1. HttpCookie cookie = new HttpCookie("MySecureCookie");  
2. cookie["ID"] = "39369a0d-975e-4456-9ade-3f04639fd309"; //recommended: use some unique value to later check for fraudulent cookies while retrieving  
3. cookie["Name"] = username;  
4. cookie["Email"] = email;  
5.   
6. cookie = Security.EncodeCookie(cookie); //encode  
7. cookie.Expires = DateTime.Now.AddDays(90);  
8. Response.Cookies.Add(cookie);  
9. ...  

HttpCookie cookie = new HttpCookie("MySecureCookie");
cookie["ID"] = "39369a0d-975e-4456-9ade-3f04639fd309"; //recommended: use some unique value to later check for fraudulent cookies while retrieving
cookie["Name"] = username;
cookie["Email"] = email;

cookie = Security.EncodeCookie(cookie); //encode
cookie.Expires = DateTime.Now.AddDays(90);
Response.Cookies.Add(cookie);
...

Decoding Example:

1. HttpCookie cookie = context.Request.Cookies["MySecureCookie"];  
2. cookie = Security.DecodeCookie(cookie); //decode  
3.   
4. if (cookie["ID"] == "39369a0d-975e-4456-9ade-3f04639fd309") cookieChecksOut = true;  
5. //process cookie  
6. ...  

HttpCookie cookie = context.Request.Cookies["MySecureCookie"];
cookie = Security.DecodeCookie(cookie); //decode

if (cookie["ID"] == "39369a0d-975e-4456-9ade-3f04639fd309") cookieChecksOut = true;
//process cookie
...

This code allows using a single generic implementation to use a variety of algorithms based on their merits and properties. I hope this will help a lot of beginners.