Index: branches/5.3.x/core/kernel/session/session.php
===================================================================
diff -u -N -r16600 -r16731
--- branches/5.3.x/core/kernel/session/session.php	(.../session.php)	(revision 16600)
+++ branches/5.3.x/core/kernel/session/session.php	(.../session.php)	(revision 16731)
@@ -1,6 +1,6 @@
 <?php
 /**
-* @version	$Id: session.php 16600 2017-07-29 06:19:27Z alex $
+* @version	$Id: session.php 16731 2022-09-13 13:08:44Z alex $
 * @package	In-Portal
 * @copyright	Copyright (C) 1997 - 2009 Intechnic. All rights reserved.
 * @license      GNU/GPL
@@ -387,11 +387,10 @@
 			$this->_autoGuessDomain(SERVER_NAME)
 		);
 
-		$cookie_hasher = $this->Application->makeClass('kCookieHasher');
-		/* @var $cookie_hasher kCookieHasher */
+		/** @var CookieManager $cookie_manager */
+		$cookie_manager = $this->Application->recallObject('CookieManager');
+		$encrypted_value = $cookie_manager->encryptAndTrack($name, $value);
 
-		$encrypted_value = $cookie_hasher->encrypt($name, $value);
-
 		foreach ($old_style_domains as $old_style_domain) {
 			if ($this->CookieDomain != $old_style_domain) {
 				// new style cookie domain -> delete old style cookie to prevent infinite redirect
Index: branches/5.3.x/core/install/upgrades.sql
===================================================================
diff -u -N -r16600 -r16731
--- branches/5.3.x/core/install/upgrades.sql	(.../upgrades.sql)	(revision 16600)
+++ branches/5.3.x/core/install/upgrades.sql	(.../upgrades.sql)	(revision 16731)
@@ -3071,3 +3071,11 @@
 
 UPDATE PromoBlocks SET ScheduleToDate = ScheduleToDate + 86399 WHERE DATE_FORMAT(FROM_UNIXTIME(ScheduleTodate), "%H%i") = "0000";
 DELETE FROM LanguageLabels WHERE PhraseKey = "LA_FLD_SCHEDULEDATE";
+
+DELETE FROM SystemSettings WHERE VariableName = "RandomString";
+
+UPDATE SystemSettings
+SET DisplayOrder = ROUND(DisplayOrder - 0.01, 2)
+WHERE ModuleOwner = 'In-Portal' AND Section = 'in-portal:configure_advanced' AND DisplayOrder BETWEEN 60.10 AND 61.00;
+
+INSERT INTO SystemSettings VALUES(DEFAULT, 'EncryptedCookies', 'cookies_on,save_username,original_referrer,remember_login,last_module,adm_sid,adm_sid_live,sid,sid_live', 'In-Portal', 'in-portal:configure_advanced', 'la_section_SettingsSystem', 'la_config_EncryptedCookies', 'text', '', '', 60.10, 0, 1, NULL);
Index: branches/5.3.x/core/install/cache/class_structure.php
===================================================================
diff -u -N -r16727 -r16731
--- branches/5.3.x/core/install/cache/class_structure.php	(.../class_structure.php)	(revision 16727)
+++ branches/5.3.x/core/install/cache/class_structure.php	(.../class_structure.php)	(revision 16731)
@@ -38,6 +38,7 @@
 		'ConfigurationValidator' => '/core/units/configuration/configuration_validator.php',
 		'ContentEventHandler' => '/core/units/content/content_eh.php',
 		'ContentTagProcessor' => '/core/units/content/content_tp.php',
+		'CookieManager' => '/core/kernel/managers/cookie_manager.php',
 		'CoreUpgrades' => '/core/install/upgrades.php',
 		'CountryStateEventHandler' => '/core/units/country_states/country_state_eh.php',
 		'CssMinifyHelper' => '/core/units/helpers/minifiers/css_minify_helper.php',
@@ -252,7 +253,6 @@
 		'kChartHelper' => '/core/units/helpers/chart_helper.php',
 		'kClipboardHelper' => '/core/units/helpers/clipboard_helper.php',
 		'kColumnPickerHelper' => '/core/units/helpers/col_picker_helper.php',
-		'kCookieHasher' => '/core/kernel/utility/cookie_hasher.php',
 		'kCountHelper' => '/core/units/helpers/count_helper.php',
 		'kCountryStatesHelper' => '/core/units/helpers/country_states_helper.php',
 		'kCronField' => '/core/units/helpers/cron_helper.php',
@@ -565,6 +565,13 @@
 				0 => 'kDBTagProcessor',
 			),
 		),
+		'CookieManager' => array(
+			'type' => 1,
+			'modifiers' => 2,
+			'extends' => array(
+				0 => 'kBase',
+			),
+		),
 		'CoreUpgrades' => array(
 			'type' => 1,
 			'modifiers' => 0,
@@ -1967,13 +1974,6 @@
 				0 => 'kHelper',
 			),
 		),
-		'kCookieHasher' => array(
-			'type' => 1,
-			'modifiers' => 0,
-			'extends' => array(
-				0 => 'kBase',
-			),
-		),
 		'kCountHelper' => array(
 			'type' => 1,
 			'modifiers' => 0,
Index: branches/5.3.x/core/units/helpers/user_helper.php
===================================================================
diff -u -N -r16600 -r16731
--- branches/5.3.x/core/units/helpers/user_helper.php	(.../user_helper.php)	(revision 16600)
+++ branches/5.3.x/core/units/helpers/user_helper.php	(.../user_helper.php)	(revision 16731)
@@ -1,6 +1,6 @@
 <?php
 /**
-* @version	$Id: user_helper.php 16600 2017-07-29 06:19:27Z alex $
+* @version	$Id: user_helper.php 16731 2022-09-13 13:08:44Z alex $
 * @package	In-Portal
 * @copyright	Copyright (C) 1997 - 2009 Intechnic. All rights reserved.
 * @license      GNU/GPL
@@ -723,73 +723,4 @@
 			return $object->Update() ? '' : 'restore_impossible';
 		}
 
-		/**
-		 * Generates random string
-		 *
-		 * @param int $length
-		 * @param bool $special_chars
-		 * @param bool $extra_special_chars
-		 * @return string
-		 * @access public
-		 */
-		public function generateRandomString($length = 12, $special_chars = true, $extra_special_chars = false)
-		{
-			$chars = 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789';
-
-			if ( $special_chars ) {
-				$chars .= '!@#$%^&*()';
-			}
-
-			if ( $extra_special_chars ) {
-				$chars .= '-_ []{}<>~`+=,.;:/?|';
-			}
-
-			$password = '';
-
-			for ($i = 0; $i < $length; $i++) {
-				$password .= substr($chars, $this->_generateRandomNumber(0, strlen($chars) - 1), 1);
-			}
-
-			return $password;
-		}
-
-		/**
-		 * Generates a random number
-		 *
-		 * @param int $min Lower limit for the generated number (optional, default is 0)
-		 * @param int $max Upper limit for the generated number (optional, default is 4294967295)
-		 * @return int A random number between min and max
-		 * @access protected
-		 */
-		protected function _generateRandomNumber($min = 0, $max = 0)
-		{
-			static $rnd_value = '';
-
-			// Reset $rnd_value after 14 uses
-			// 32(md5) + 40(sha1) + 40(sha1) / 8 = 14 random numbers from $rnd_value
-			if ( strlen($rnd_value) < 8 ) {
-				$random_seed = $this->Application->getDBCache('random_seed');
-				$rnd_value = md5(uniqid(microtime() . mt_rand(), true) . $random_seed);
-				$rnd_value .= sha1($rnd_value);
-				$rnd_value .= sha1($rnd_value . $random_seed);
-				$random_seed = md5($random_seed . $rnd_value);
-				$this->Application->setDBCache('random_seed', $random_seed);
-			}
-
-			// Take the first 8 digits for our value
-			$value = substr($rnd_value, 0, 8);
-
-			// Strip the first eight, leaving the remainder for the next call to wp_rand().
-			$rnd_value = substr($rnd_value, 8);
-
-			$value = abs(hexdec($value));
-
-			// Reduce the value to be within the min - max range
-			// 4294967295 = 0xffffffff = max random number
-			if ( $max != 0 ) {
-				$value = $min + (($max - $min + 1) * ($value / (4294967295 + 1)));
-			}
-
-			return abs(intval($value));
-		}
-	}
\ No newline at end of file
+	}
Index: branches/5.3.x/core/kernel/utility/cookie_hasher.php
===================================================================
diff -u -N
--- branches/5.3.x/core/kernel/utility/cookie_hasher.php	(revision 16252)
+++ branches/5.3.x/core/kernel/utility/cookie_hasher.php	(revision 0)
@@ -1,178 +0,0 @@
-<?php
-/**
- * @version    $Id: cookie_hasher.php 16252 2015-09-27 06:34:45Z alex $
- * @package    In-Portal
- * @copyright    Copyright (C) 1997 - 2012 Intechnic. All rights reserved.
- * @license      GNU/GPL
- * In-Portal is Open Source software.
- * This means that this software may have been modified pursuant
- * the GNU General Public License, and as distributed it includes
- * or is derivative of works licensed under the GNU General Public License
- * or other free or open source software licenses.
- * See http://www.in-portal.org/license for copyright notices and details.
- */
-
-defined('FULL_PATH') or die('restricted access!');
-
-/**
- * Class to encrypt/decrypt cookies.
- *
- */
-class kCookieHasher extends kBase {
-
-	protected static $_vector = null;
-
-	/**
-	 * Holds list of cookie names, that should not be processed
-	 *
-	 * @var Array
-	 * @access protected
-	 */
-	protected $_plainTextCookies = Array ();
-
-	public function __construct($secret = '')
-	{
-		parent::__construct();
-
-		if ( !$secret ) {
-			$secret = $this->Application->ConfigValue('RandomString');
-		}
-
-		$this->_config = Array (
-			'secret' => substr($secret, 0, 32), // used cipher only allows 256bit (or less) key length
-			'cipher' => MCRYPT_RIJNDAEL_256,
-			'mode' => MCRYPT_MODE_CBC,
-			'vector' => static::_vector(MCRYPT_RIJNDAEL_256, MCRYPT_MODE_CBC)
-		);
-
-		$plain_text_cookies = (string)$this->Application->ConfigValue('PlainTextCookies');
-
-		if ( $plain_text_cookies ) {
-			$plain_text_cookies = array_filter(array_map('trim', explode(',', $plain_text_cookies)));
-			$this->_plainTextCookies = array_unique(array_merge($this->_plainTextCookies, $plain_text_cookies));
-		}
-	}
-
-	/**
-	 * Determines if cookie should be processed or passed through as is
-	 *
-	 * @param string $cookie_name
-	 * @return bool
-	 * @access protected
-	 */
-	protected function _isPassThrough($cookie_name)
-	{
-		return in_array($cookie_name, $this->_plainTextCookies);
-	}
-
-	/**
-	 * Generates encryption vector and returns it
-	 *
-	 * @param string $cipher
-	 * @param string $mode
-	 * @return string
-	 * @access protected
-	 */
-	protected static function _vector($cipher, $mode)
-	{
-		if ( static::$_vector ) {
-			return static::$_vector;
-		}
-
-		$size = static::_vectorSize($cipher, $mode);
-
-		return static::$_vector = mcrypt_create_iv($size, MCRYPT_DEV_URANDOM);
-	}
-
-	/**
-	 * Returns vector size for given cipher and encryption mode
-	 *
-	 * @param string $cipher
-	 * @param string $mode
-	 * @return int
-	 * @access protected
-	 */
-	protected static function _vectorSize($cipher, $mode)
-	{
-		return mcrypt_get_iv_size($cipher, $mode);
-	}
-
-	/**
-	 * Encrypts a cookie
-	 *
-	 * @param string $cookie_name
-	 * @param mixed $plain_value
-	 * @return string
-	 * @access public
-	 */
-	public function encrypt($cookie_name, $plain_value)
-	{
-		if ( $this->_isPassThrough($cookie_name) ) {
-			return $plain_value;
-		}
-
-		$cipher = $this->_config['cipher'];
-		$secret = $this->_config['secret'];
-		$mode = $this->_config['mode'];
-		$vector = $this->_config['vector'];
-
-		$data = Array ($cookie_name => $plain_value);
-		$encrypted = mcrypt_encrypt($cipher, $secret, serialize($data), $mode, $vector);
-
-		return base64_encode($encrypted) . base64_encode($vector);
-	}
-
-	/**
-	 * Decrypts a cookie
-	 *
-	 * @param string $cookie_name
-	 * @param string $encrypted_value
-	 * @return mixed
-	 * @access public
-	 */
-	public function decrypt($cookie_name, $encrypted_value)
-	{
-		if ( $this->_isPassThrough($cookie_name) ) {
-			return $encrypted_value;
-		}
-
-		$cipher = $this->_config['cipher'];
-		$secret = $this->_config['secret'];
-		$mode = $this->_config['mode'];
-
-		$vector_size = static::_vectorSize($cipher, $mode);
-		$base64_vector_size = strlen(base64_encode(str_repeat(' ', $vector_size)));
-		$vector = $this->_safeBase64Decode(substr($encrypted_value, -$base64_vector_size));
-		$data = $this->_safeBase64Decode(substr($encrypted_value, 0, -$base64_vector_size));
-
-		if ( $vector === false || $data === false || strlen($vector) != $vector_size ) {
-			// non-encrypted or malformed cookie value given
-			return '';
-		}
-
-		// non-serialized array is decrypted in case of decrypting old cookies after a secret change
-		$decrypted = trim(mcrypt_decrypt($cipher, $secret, $data, $mode, $vector));
-		$data = kUtil::IsSerialized($decrypted) ? unserialize($decrypted) : Array ();
-
-		// check if cookie value was actually copied from other cookie
-		return isset($data[$cookie_name]) ? $data[$cookie_name] : '';
-	}
-
-	/**
-	 * Safely decodes base64-encoded string
-	 *
-	 * @param string $encoded_string
-	 * @return string|bool
-	 * @access protected
-	 */
-	protected function _safeBase64Decode($encoded_string)
-	{
-		$decoded_string = base64_decode($encoded_string);
-
-		if ( (string)base64_encode($decoded_string) !== (string)$encoded_string ) {
-			return false;
-		}
-
-		return $decoded_string;
-	}
-}
Index: branches/5.3.x/core/kernel/utility/http_query.php
===================================================================
diff -u -N -r16730 -r16731
--- branches/5.3.x/core/kernel/utility/http_query.php	(.../http_query.php)	(revision 16730)
+++ branches/5.3.x/core/kernel/utility/http_query.php	(.../http_query.php)	(revision 16731)
@@ -1,6 +1,6 @@
 <?php
 /**
-* @version	$Id: http_query.php 16730 2022-09-13 12:59:21Z alex $
+* @version	$Id: http_query.php 16731 2022-09-13 13:08:44Z alex $
 * @package	In-Portal
 * @copyright	Copyright (C) 1997 - 2009 Intechnic. All rights reserved.
 * @license      GNU/GPL
@@ -252,16 +252,9 @@
 					break;
 
 				case 'C':
-					$cookie_hasher = $this->Application->makeClass('kCookieHasher');
-					/* @var $cookie_hasher kCookieHasher */
-
-					$parsed_cookies = Array ();
-
-					foreach ($_COOKIE as $cookie_name => $encrypted_value) {
-						$parsed_cookies[$cookie_name] = $cookie_hasher->decrypt($cookie_name, $encrypted_value);
-					}
-
-					$this->Cookie = $this->AddVars($parsed_cookies);
+					/** @var CookieManager $cookie_manager */
+					$cookie_manager = $this->Application->recallObject('CookieManager');
+					$this->Cookie = $this->AddVars($cookie_manager->filterAllowed($_COOKIE));
 					break;
 
 				/*case 'E';
Index: branches/5.3.x/core/install/english.lang
===================================================================
diff -u -N -r16718 -r16731
--- branches/5.3.x/core/install/english.lang	(.../english.lang)	(revision 16718)
+++ branches/5.3.x/core/install/english.lang	(.../english.lang)	(revision 16731)
@@ -170,6 +170,7 @@
 			<PHRASE Label="la_config_EmailLogRotationInterval" Module="Core" Type="1" Hint="VGhpcyBzZXR0aW5nIGFsbG93cyB5b3UgdG8gY29udHJvbCBmb3IgaG93IGxvbmcgIkUtbWFpbCBMb2ciIG1lc3NhZ2VzIHdpbGwgYmUgc3RvcmVkIGluIHRoZSBsb2cgYW5kIHRoZW4gYXV0b21hdGljYWxseSBkZWxldGVkLiBVc2Ugb3B0aW9uICJGb3JldmVyIiB3aXRoIGNhdXRpb24gc2luY2UgaXQgd2lsbCBjb21wbGV0ZWx5IGRpc2FibGUgYXV0b21hdGljIGxvZyBjbGVhbnVwIGFuZCBjYW4gbGVhZCB0byBsYXJnZSBzaXplIG9mIGRhdGFiYXNlIHRhYmxlIHRoYXQgc3RvcmVzIGUtbWFpbCBtZXNzYWdlcy4=">S2VlcCAiRS1tYWlsIExvZyIgZm9y</PHRASE>
 			<PHRASE Label="la_config_EnableEmailLog" Module="Core" Type="1" Hint="IkUtbWFpbCBMb2ciIHN0b3JlcyB0aGUgZXhhY3QgY29weSBvZiBhbGwgZW1haWxzIHRoYXQgYmVlbiBzZW50IG91dCBieSB5b3VyIHdlYnNpdGUuIFRoZSBmb2xsb3dpbmcgaW5mb3JtYXRpb24gaXMgc3RvcmVkOiBUaW1lLCBTZW5kZXIsIFJlY2lwaWVudHMsIFN1YmplY3QsIEUtbWFpbCBFdmVudCBuYW1lLCBhbmQgRW1haWwgQm9keS4=">RW5hYmxlICJFLW1haWwgTG9nIg==</PHRASE>
 			<PHRASE Label="la_config_EnablePageContentRevisionControl" Module="Core" Type="1">RW5hYmxlIFJldmlzaW9uIENvbnRyb2wgZm9yIFNlY3Rpb24gQ29udGVudA==</PHRASE>
+			<PHRASE Label="la_config_EncryptedCookies" Module="Core" Type="1">RW5jcnlwdGVkIENvb2tpZXM=</PHRASE>
 			<PHRASE Label="la_config_error_template" Module="Core" Type="1">VGVtcGxhdGUgZm9yICJGaWxlIG5vdCBmb3VuZCAoNDA0KSIgRXJyb3I=</PHRASE>
 			<PHRASE Label="la_config_ExcludeTemplateSectionsFromSearch" Module="Core" Type="1">RXhjbHVkZSB0ZW1wbGF0ZSBiYXNlZCBTZWN0aW9ucyBmcm9tIFNlYXJjaCBSZXN1bHRzIChpZS4gVXNlciBSZWdpc3RyYXRpb24p</PHRASE>
 			<PHRASE Label="la_config_FilenameSpecialCharReplacement" Module="Core" Type="1">RmlsZW5hbWUgU3BlY2lhbCBDaGFyIFJlcGxhY2VtZW50</PHRASE>
@@ -198,7 +199,6 @@
 			<PHRASE Label="la_config_PerformExactSearch" Module="Core" Type="1" Hint="U2VhcmNoIGZvciBhbGwgZW50ZXJlZCBrZXl3b3JkcywgaW5zdGVhZCBvZiBhbnkgb25lIG9mIHRoZW0=">UGVyZm9ybSBFeGFjdCBTZWFyY2g=</PHRASE>
 			<PHRASE Label="la_config_PerpageReviews" Module="Core" Type="1">Q29tbWVudHMgcGVyIHBhZ2U=</PHRASE>
 			<PHRASE Label="la_config_PlainTextCookies" Module="Core" Type="1">UGxhaW4gVGV4dCBDb29raWVz</PHRASE>
-			<PHRASE Label="la_config_RandomString" Module="Core" Type="1">UmFuZG9tIFN0cmluZw==</PHRASE>
 			<PHRASE Label="la_config_RecycleBinFolder" Module="Core" Type="1">IlJlY3ljbGUgQmluIiBTZWN0aW9uSWQ=</PHRASE>
 			<PHRASE Label="la_config_RegistrationUsernameRequired" Module="Core" Type="1">VXNlcm5hbWUgUmVxdWlyZWQgRHVyaW5nIFJlZ2lzdHJhdGlvbg==</PHRASE>
 			<PHRASE Label="la_config_RememberLastAdminTemplate" Module="Core" Type="1">UmVzdG9yZSBsYXN0IHZpc2l0ZWQgQWRtaW4gU2VjdGlvbiBhZnRlciBMb2dpbg==</PHRASE>
@@ -267,6 +267,7 @@
 			<PHRASE Label="la_error_CantOpenFile" Module="Core" Type="1">Q2FuJ3Qgb3BlbiB0aGUgZmlsZQ==</PHRASE>
 			<PHRASE Label="la_error_cant_save_file" Module="Core" Type="1">Q2FuJ3Qgc2F2ZSBhIGZpbGU=</PHRASE>
 			<PHRASE Label="la_error_ConnectionFailed" Module="Core" Type="1">Q29ubmVjdGlvbiBGYWlsZWQ=</PHRASE>
+			<PHRASE Label="la_error_CookieEncryptionState" Module="Core" Type="1">U2FtZSBjb29raWUgY2FuJ3QgYmUgbGlzdGVkIGluIGJvdGggIlBsYWluIFRleHQgQ29va2llcyIgYW5kICJFbmNyeXB0ZWQgQ29va2llcyIgc2V0dGluZ3M=</PHRASE>
 			<PHRASE Label="la_error_copy_subcategory" Module="Core" Type="1">RXJyb3IgY29weWluZyBzdWJzZWN0aW9ucw==</PHRASE>
 			<PHRASE Label="la_error_CustomExists" Module="Core" Type="1">Q3VzdG9tIGZpZWxkIHdpdGggaWRlbnRpY2FsIG5hbWUgYWxyZWFkeSBleGlzdHM=</PHRASE>
 			<PHRASE Label="la_error_EmailTemplateBodyMissing" Module="Core" Type="1">RW1haWwgRGVzaWduIFRlbXBsYXRlIHNob3VsZCBjb250YWluIGF0IGxlYXN0ICIkYm9keSIgdGFnIGluIGl0Lg==</PHRASE>
Index: branches/5.3.x/core/units/configuration/configuration_event_handler.php
===================================================================
diff -u -N -r16519 -r16731
--- branches/5.3.x/core/units/configuration/configuration_event_handler.php	(.../configuration_event_handler.php)	(revision 16519)
+++ branches/5.3.x/core/units/configuration/configuration_event_handler.php	(.../configuration_event_handler.php)	(revision 16731)
@@ -1,6 +1,6 @@
 <?php
 /**
-* @version	$Id: configuration_event_handler.php 16519 2017-01-20 20:21:46Z alex $
+* @version	$Id: configuration_event_handler.php 16731 2022-09-13 13:08:44Z alex $
 * @package	In-Portal
 * @copyright	Copyright (C) 1997 - 2009 Intechnic. All rights reserved.
 * @license      GNU/GPL
@@ -178,7 +178,24 @@
 				$email_event_data = $this->Application->GetVar('email-template_' . $event->Prefix);
 				$object->SetDBField('VariableValue', $email_event_data[0]['Recipients']);
 			}
+			elseif ( $variable_name === 'PlainTextCookies' || $variable_name === 'EncryptedCookies' ) {
+				$cookie_set1 = $new_value;
+				$cookie_set1 = $cookie_set1 ? explode(',', $cookie_set1) : array();
 
+				$cookie_set2 = $this->Application->ConfigValue(
+					$variable_name === 'PlainTextCookies' ? 'EncryptedCookies' : 'PlainTextCookies'
+				);
+				$cookie_set2 = $cookie_set2 ? explode(',', $cookie_set2) : array();
+
+				if ( array_intersect($cookie_set1, $cookie_set2) ) {
+					$object->SetError(
+						'VariableValue',
+						'cookie_encryption_state',
+						'la_error_CookieEncryptionState'
+					);
+				}
+			}
+
 			/** @var kSectionsHelper $sections_helper */
 			$sections_helper = $this->Application->recallObject('SectionsHelper');
 
@@ -272,6 +289,21 @@
 			if ( $object->GetDBField('ElementType') == 'password' && trim($object->GetDBField('VariableValue')) == '' ) {
 				$object->SetFieldOption('VariableValue', 'skip_empty', 1);
 			}
+
+			if ( $object->GetDBField('VariableName') === 'EncryptedCookies' ) {
+				$new_value = $object->GetDBField('VariableValue');
+				$old_value = $object->GetOriginalField('VariableValue');
+
+				if ( $new_value != $old_value ) {
+					/** @var CookieManager $cookie_manager */
+					$cookie_manager = $this->Application->recallObject('CookieManager');
+					$required_encrypted_cookies = $cookie_manager->getRequiredEncryptedCookies();
+
+					$new_value_parsed = $new_value ? explode(',', $new_value) : array();
+					$new_value_parsed = array_unique(array_merge($new_value_parsed, $required_encrypted_cookies));
+					$object->SetDBField('VariableValue', implode(',', $new_value_parsed));
+				}
+			}
 		}
 
 		/**
@@ -328,6 +360,28 @@
 					$skin_deleted = true;
 				}
 			}
+			elseif ( $variable_name === 'SessionCookieName' && in_array($variable_name, $changed) ) {
+				$encrypted_cookie_names = $this->Application->ConfigValue('EncryptedCookies');
+
+				if ( !$encrypted_cookie_names ) {
+					return;
+				}
+
+				$old_value = $object->GetOriginalField('VariableValue');
+				$new_value = $object->GetDBField('VariableValue');
+				$encrypted_cookie_names = explode(',', $encrypted_cookie_names);
+
+				// Sample: cookies_on,remember_login,last_module,adm_sid,adm_sid_live,sid,sid_live.
+				foreach ( $encrypted_cookie_names as $index => $encrypted_cookie_name ) {
+					if ( !preg_match('/^(adm_|)' . $old_value . '(_live|)$/', $encrypted_cookie_name, $regs) ) {
+						continue;
+					}
+
+					$encrypted_cookie_names[$index] = $regs[1] . $new_value . $regs[2];
+				}
+
+				$this->Application->SetConfigValue('EncryptedCookies', implode(',', $encrypted_cookie_names));
+			}
 		}
 
 		/**
Index: branches/5.3.x/core/install/install_data.sql
===================================================================
diff -u -N -r16600 -r16731
--- branches/5.3.x/core/install/install_data.sql	(.../install_data.sql)	(revision 16600)
+++ branches/5.3.x/core/install/install_data.sql	(.../install_data.sql)	(revision 16731)
@@ -100,8 +100,8 @@
 INSERT INTO SystemSettings VALUES(DEFAULT, 'Backup_Path', '/home/alex/web/in-portal.rc/system/backupdata', 'In-Portal', 'in-portal:configure_advanced', 'la_section_SettingsSystem', 'la_config_backup_path', 'text', '', '', 60.06, 0, 1, NULL);
 INSERT INTO SystemSettings VALUES(DEFAULT, 'SystemTagCache', '0', 'In-Portal', 'in-portal:configure_advanced', 'la_section_SettingsSystem', 'la_prompt_syscache_enable', 'checkbox', NULL, NULL, 60.07, 0, 0, NULL);
 INSERT INTO SystemSettings VALUES(DEFAULT, 'SocketBlockingMode', '0', 'In-Portal', 'in-portal:configure_advanced', 'la_section_SettingsSystem', 'la_prompt_socket_blocking_mode', 'checkbox', NULL, NULL, 60.08, 0, 0, NULL);
-INSERT INTO SystemSettings VALUES(DEFAULT, 'RandomString', '', 'In-Portal', 'in-portal:configure_advanced', 'la_section_SettingsSystem', 'la_config_RandomString', 'text', '', '', 60.09, 0, 1, NULL);
-INSERT INTO SystemSettings VALUES(DEFAULT, 'PlainTextCookies', '', 'In-Portal', 'in-portal:configure_advanced', 'la_section_SettingsSystem', 'la_config_PlainTextCookies', 'text', '', '', 60.10, 0, 1, NULL);
+INSERT INTO SystemSettings VALUES(DEFAULT, 'PlainTextCookies', '', 'In-Portal', 'in-portal:configure_advanced', 'la_section_SettingsSystem', 'la_config_PlainTextCookies', 'text', '', '', 60.09, 0, 1, NULL);
+INSERT INTO SystemSettings VALUES(DEFAULT, 'EncryptedCookies', 'cookies_on,save_username,original_referrer,remember_login,last_module,adm_sid,adm_sid_live,sid,sid_live', 'In-Portal', 'in-portal:configure_advanced', 'la_section_SettingsSystem', 'la_config_EncryptedCookies', 'text', '', '', 60.10, 0, 1, NULL);
 INSERT INTO SystemSettings VALUES(DEFAULT, 'EnableEmailLog', '1', 'In-Portal', 'in-portal:configure_advanced', 'la_section_SettingsLogs', 'la_config_EnableEmailLog', 'radio', NULL, '1=la_Yes||0=la_No', 65.01, 0, 1, 'hint:la_config_EnableEmailLog');
 INSERT INTO SystemSettings VALUES(DEFAULT, 'EmailLogRotationInterval', '2419200', 'In-Portal', 'in-portal:configure_advanced', 'la_section_SettingsLogs', 'la_config_EmailLogRotationInterval', 'select', NULL, '86400=la_opt_OneDay||604800=la_opt_OneWeek||1209600=la_opt_TwoWeeks||2419200=la_opt_OneMonth||7257600=la_opt_ThreeMonths||29030400=la_opt_OneYear||-1=la_opt_EmailLogKeepForever', 65.02, 0, 0, 'hint:la_config_EmailLogRotationInterval');
 INSERT INTO SystemSettings VALUES(DEFAULT, 'SystemLogRotationInterval', '2419200', 'In-Portal', 'in-portal:configure_advanced', 'la_section_SettingsLogs', 'la_config_SystemLogRotationInterval', 'select', NULL, '86400=la_opt_OneDay||604800=la_opt_OneWeek||1209600=la_opt_TwoWeeks||2419200=la_opt_OneMonth||7257600=la_opt_ThreeMonths||29030400=la_opt_OneYear||-1=la_opt_SystemLogKeepForever', 65.03, 0, 1, 'hint:la_config_SystemLogRotationInterval');
Index: branches/5.3.x/core/kernel/managers/cookie_manager.php
===================================================================
diff -u -N
--- branches/5.3.x/core/kernel/managers/cookie_manager.php	(revision 0)
+++ branches/5.3.x/core/kernel/managers/cookie_manager.php	(revision 16731)
@@ -0,0 +1,132 @@
+<?php
+/**
+* @version	$Id: cookie_manager.php 16731 2022-09-13 13:08:44Z alex $
+* @package	In-Portal
+* @copyright	Copyright (C) 1997 - 2022 Intechnic. All rights reserved.
+* @license      GNU/GPL
+* In-Portal is Open Source software.
+* This means that this software may have been modified pursuant
+* the GNU General Public License, and as distributed it includes
+* or is derivative of works licensed under the GNU General Public License
+* or other free or open source software licenses.
+* See http://www.in-portal.org/license for copyright notices and details.
+*/
+
+defined('FULL_PATH') or die('restricted access!');
+
+
+final class CookieManager extends kBase
+{
+
+	/**
+	 * Filters cookies.
+	 *
+	 * @param array $cookies Cookies.
+	 *
+	 * @return array
+	 */
+	public function filterAllowed(array $cookies)
+	{
+		$ret = array();
+		$all_cookie_names = array_keys($cookies);
+
+		$plain_text_cookies = $this->Application->ConfigValue('PlainTextCookies');
+
+		if ( $plain_text_cookies ) {
+			$plain_text_cookies = array_intersect(explode(',', $plain_text_cookies), $all_cookie_names);
+
+			foreach ( $plain_text_cookies as $cookie_name ) {
+				$ret[$cookie_name] = $cookies[$cookie_name];
+			}
+		}
+
+		$encrypted_cookies = $this->Application->ConfigValue('EncryptedCookies');
+
+		if ( $encrypted_cookies ) {
+			$encrypted_cookies = explode(',', $encrypted_cookies);
+		}
+		else {
+			// Happens during an upgrade, when "EncryptedCookies" system setting is missing.
+			$encrypted_cookies = $this->getRequiredEncryptedCookies();
+		}
+
+		$encrypted_cookies = array_intersect($encrypted_cookies, $all_cookie_names);
+
+		/** @var SecurityEncrypter $encrypter */
+		$encrypter = $this->Application->recallObject('SecurityEncrypter');
+
+		foreach ( $encrypted_cookies as $cookie_name ) {
+			try {
+				$ret[$cookie_name] = $encrypter->decrypt($cookies[$cookie_name]);
+			}
+			catch ( LogicException $e ) {
+				// Can't delete malformed cookie here, because session isn't initialized yet.
+				trigger_error(
+					'Error decrypting cookie "' . $cookie_name . '": ' . $e->getMessage(),
+					E_USER_NOTICE
+				);
+			}
+		}
+
+		return $ret;
+	}
+
+	/**
+	 * Returns required encrypted cookies.
+	 *
+	 * @return array
+	 */
+	public function getRequiredEncryptedCookies()
+	{
+		$session_cookie_name = $this->Application->ConfigValue('SessionCookieName');
+
+		return array(
+			'adm_' . $session_cookie_name,
+			'adm_' . $session_cookie_name . '_live',
+			$session_cookie_name,
+			$session_cookie_name . '_live',
+		);
+	}
+
+	/**
+	 * Encrypts and tracks a cookie.
+	 *
+	 * @param string $cookie_name  Cookie name.
+	 * @param string $cookie_value Cookie value.
+	 *
+	 * @return string
+	 */
+	public function encryptAndTrack($cookie_name, $cookie_value)
+	{
+		$encrypted_cookies = $this->Application->ConfigValue('EncryptedCookies');
+		$encrypted_cookies = $encrypted_cookies ? explode(',', $encrypted_cookies) : array();
+
+		// Has no effect during an upgrade, because "EncryptedCookies" system setting is absent.
+		if ( !in_array($cookie_name, $encrypted_cookies) ) {
+			$encrypted_cookies[] = $cookie_name;
+			$this->Application->SetConfigValue('EncryptedCookies', implode(',', $encrypted_cookies));
+		}
+
+		/** @var SecurityEncrypter $encrypter */
+		$encrypter = $this->Application->recallObject('SecurityEncrypter');
+
+		// Don't change encrypted cookie value, when it's decrypted value hasn't changed.
+		if ( array_key_exists($cookie_name, $_COOKIE) ) {
+			$old_encrypted_value = $_COOKIE[$cookie_name];
+			$decrypted_cookies = $this->filterAllowed(array(
+				$cookie_name => $old_encrypted_value,
+			));
+
+			// Decryption was successful and value hasn't changed.
+			if ( array_key_exists($cookie_name, $decrypted_cookies)
+				&& $decrypted_cookies[$cookie_name] === $cookie_value
+			) {
+				return $old_encrypted_value;
+			}
+		}
+
+		// Would return different encrypted string for same plain-text string on each call !!!
+		return $encrypter->encrypt($cookie_value);
+	}
+
+}
Index: branches/5.3.x/core/install.php
===================================================================
diff -u -N -r16726 -r16731
--- branches/5.3.x/core/install.php	(.../install.php)	(revision 16726)
+++ branches/5.3.x/core/install.php	(.../install.php)	(revision 16731)
@@ -1,6 +1,6 @@
 <?php
 /**
-* @version	$Id: install.php 16726 2022-08-29 07:52:05Z alex $
+* @version	$Id: install.php 16731 2022-09-13 13:08:44Z alex $
 * @package	In-Portal
 * @copyright	Copyright (C) 1997 - 2009 Intechnic. All rights reserved.
 * @license      GNU/GPL
@@ -1071,17 +1071,6 @@
 						);
 						$this->Conn->doInsert($fields_hash, TABLE_PREFIX.'SystemSettings');
 					}
-
-					$random_string = $this->Application->ConfigValue('RandomString');
-
-					if ( !$random_string ) {
-						$user_helper = $this->Application->recallObject('UserHelper');
-						/* @var $user_helper UserHelper */
-
-						$random_string = $user_helper->generateRandomString(64, true, true);
-						$this->Application->SetConfigValue('RandomString', $random_string);
-					}
-
 					break;
 			}