How to build a “tamperproof cookie”

Russell Hammett Jr. (Kritner)
5 min readJul 27, 2021
Photo by Dex Ezekiel on Unsplash

All right! It’s been a minute! Tamperproof cookies, I needed one, it’s pretty simple after thinking it through.

I feel like I always say it’s been a while since my last post… but this time it has in fact been a while.

So… working on a multi factor authentication setup for a freelance client. Have the multi factor one time password all set up, but now I need a way to implement a “remember me for 30 days” feature. That should be relatively simple, right? Can’t we just use cookies?

Not so fast there past me prior to thinking it through! Cookies can easily be modified by the client, because they’re stored on the client local storage and aren’t signed with a digital signature!

Here’s some context into the situation:

Basically, I needed a way to store local to the user a secure (tamper proof) means of indicating the user has been dual factor authenticated for 30 days. The simplest way to do this would seemingly be to store a cookie with a value of the expiration date and user name. However, this first idea I had falls apart quickly, since a user could just change the cookie value (either expiration date and/or user name)…

--

--

Russell Hammett Jr. (Kritner)
Russell Hammett Jr. (Kritner)

Written by Russell Hammett Jr. (Kritner)

Just a boring Application Developer/Dad. I enjoy gaming, learning new technologies, reading, and potentially other stuff. That’s about it.