I have just put together a small update (version 1.4) for the CSE dupal module that performs client side encryption. This update contains one fix and one new feature.

First the fix. Drupal recently changed the way it handles session cookies (particularly effecting multiple sites under a common domain). This change caused problems in the way CSE stores it's own cookies (which are only used when the cookie feature is turned on in the CSE administration pages). This is now fixed in version 1.4.

Why did CSE use the Drupal session cookie? CSE uses the session cookie to obscure its own cookie content. Storing information in cookies is a configurable option in CSE, and may be deemed insecure. The CSE cookies themselves are encrypted so that they are not human readable. Using the Drupal session cookie to obscure the CSE cookies further reduced the risk of having all the pieces needed to decrypt the cookie.

The feature addition is very small and is primarily for the Opera browser. The "revert to encrypted form" double click does not work in Opera unless Opera's own double click internal context menu is turned off. Opera interprets page double clicks as a context menu request. This feature allows a single click of the "cse" tag at the top of the page to revert content. Single click revert only works if all the content on the page is successfully decrypted. If there is still content on the page needing decryption then a single click behaves as before (hides/opens the password prompt). This may case confusion so I am not convinced it is a good thing to do. Any feedback on this issue would be appreciated.

I have a few plans for version 2.0 of CSE. Although I do not have much time to dedicate to it, CSE 2.0 is moving forward. Firstly I will update the module for the upcoming Drupal 6.0. Secondly, I plan to update the javascript code to put the encrypted data into self-contained objects and attach them directly to the DOM. This would be neater than the current approach. If there are any other requests/suggestions, please let me know.