What do you mean "plaintext" attacks? There are three different attacks that need to be worried about with cookies.
First, is hiding any confidential data. The simplest way is to not put confidential data in the cookie and keep it in local storage. The cookie becomes a key to find the local session data. The next best is to encrypt the data with a secret key. Compression is just obfuscation and not secure.
Second, is protecting the info from tampering. MACs are perfect for this because only those with the secret key can generate or verify the MAC. The plaintext can be read but not modified. For cookies that are just keys, the keys can be chosen from a large enough space that modifying the key results in an invalid value.
Second, is preventing replay attacks, from someone recording the cookie and using it later. Using SSL to keep the cookie from being known is the best solution. Including expiration time in the cookie or session is another solution.
Finally, is preventing tampering with the cookie. Generating cookies is a similar attack. MACs are a good solution since they can only be generated or verified by the secret key. An authentication cookie with a username, expiration timestamp, and MAC is perfectly good if user names don't need to be kept secret.
|