Case:
To encrypt a piece of data, the strategy is to divide the numbers by randomly inserting characters (not numbers), such as user input: 12345
Use ISA encryption, add random characters, generate a character: *************
The background receives the passed characters, begins to decrypt, and removes the randomly inserted characters (not the numbers).
Get the right character;
Analytical:
On the face of it, there is no problem with this encryption process.
However, after the user has viewed the data in the cookie, it is actually possible to obtain the length of the encrypted string. And once someone knows this validation rule (except for characters), they can get the cookie directly from the user's computer and then use the cookie directly to enter the user's account, which makes the encryption not insured.
In fact, when the analysis of the time there is a problem, but I do not remember clearly. I hope you can get the answer in the discussion below.
The error of application of ISA encryption technology