[solved] Basic. How strong are reserved cookies?

It seems that cookies are not encrypted. As implemented protection against forgery of cookies?

Right, cookie is not encrypted (that could be done at application level). The implementation is about cookie forgery prevention, with the help of hashing keys.

Thank you. I did not know where this takes a hash key.

It turns out that when an application is started for the first time the key is generated randomly and stored in a file “runtime/state.bin”.

Note. Cookies are realy strong reserved if… You do not forget to clean “runtime” directory on each new copy of the application.

Yes, that is the random key. It is used to generate a hash code for data that needs to be prevented from forgery.