I am currently doing a little study on what I can possibly do to secure the cookie data I send to my client. It turns out that it all boils down to signing my cookies - not a big deal, right?
Well, actually, that is only partially true. I am stuck at deciding what secret to use. You see, my app is open-sourced and I won't suddenly close the open source code down. So I need a mechanism that'd allow me to keep the secret a serious secret, and make sure the end user, that reads through my code, won't immediately be able to break through. Because, anything is hackable if you tinker with it long enough - that's how I see it.
Anyway I am getting off topic.
I am working with PHP and NodeJS. What are the best ways to pick a secret, that will forever stay a secret?
My initial thoughts: - My server's private key - A random string, put into a text file outside of world-access
My app currently runs Yii1, but I am switching to laravel 5.