In what case should one encrypt cookies?
If they contain sensitive information and you have no other solution than sending it in a cookie (you very likely don't). The pub/priv key model would not work easily within a browser, and would most likely not accomplish what you're trying to do.
Really you should not include any sensitive information in a cookie, and ones that do contain state data which you do not want modified should be signed using something like HMAC using a secret known only to the server.
You should encrypt cookies by making them secure (only sent over HTTPS). There's really no reason to manually encrypt data with server side RSA/AES or similar or browser side RSA/AES. If you attempt it, you'll probably leave open vulnerabilities in your implementation, identification, and key exchange protocol.
Your cookies should only contain information that you don't care if the browser at the other end sees or tampers with. You use transport layer security (TLS) to ensure that network eavesdroppers can't see your cookies or tamper with them.
If you have secrets that need to be associated with the user, you should store those secrets server-side and associate them with the user through a either:
- random session token that's long enough to be unfeasible to guess (e.g., 128 bits),
- session token generated via an HMAC generated server side on login with a server-side secret that identifies the user. This session is checked server side everytime a secret needs to be used. Something like
HMAC(username+login_timestamp, key = server_side_secret)
where you essentially hash a combination of the users information with the server side secret key. Then you can associate secrets with the username and before using the secrets, verify that the session token is valid by checking the HMAC is valid. So an attacker who alters their username (to someone else's) or changes the login date (to avoid automatic logout) can't pretend to be a valid signed in user.
Ah cookies. Little bites of delicious information from a web server. This technology has been around for a long time, is tried and true, and works very well if implemented correctly.
Now I say if implemented correctly, and there is a reason for that. Cookies contain information. Keeping secret information secret is a top priority. If that information isn't secret anymore, something bad can happen. This leads to the easiest way ever to decide if a cookie should be encrypted:
Does this cookie contain sensitive information?
Yes: ENCRYPT
No: Whatever
So how should you encrypt the cookie? Well that depends on the type of cookie:
Session/Server Side Only: Never let the user modify it(private, done on server only)
Private user data: symmetric, secure encryption so that the user can use the information inside of it
After that it's all about checking to make sure you're using the correct algorithms to encrypt your data securely, and have enough checks and balances to make sure they aren't tampered with(think JWT)