Protecting cookies from being attacked is of extreme important, as session IDs are commonly stored in cookies. If one gets hold of a session ID, he essentially owns all relevant session information.
There are several countermeasures to prevent cookies from being attacked.
Prado implements a cookie validation scheme that prevents cookies from being modified. In particular, it does HMAC check for the cookie values if cookie validation is enable.
Cookie validation is disabled by default. To enable it, configure the THttpRequest module as follows,
To make use of cookie validation scheme provided by Prado, you also need to retrieve cookies through the Cookies collection of THttpRequest by using the following PHP statements,
To send cookie data encoded with validation information, create new THttpCookie objects and add them to the Cookies collection of THttpResponse,