[uyt]

I'm not a security expert, but in node.js (specifically express.js) there's a concept of "signedCookies".

Usually you can just set a "httpOnly" flag to make sure client-side javascript can't mess with the cookie. But if you also sign the cookie, it further enforces this for any client tampering with the cookie manually too. Because only the server knows the secret for creating a new signature, if the client sends back a cookie that is modified in any way (including case sensitivity), it will be discarded. It should prevent the whole class of bugs caused by "unexpected format".

[tcbyrd]

It's also a signed cookie, and we do the signature verification you mention if the format is correct, but if the format doesn't match, that cookie is discarded at the edge, before it even gets sent down to our app servers.

[Something1234]

That's very similar to how JWT works. It's a signed message with some keys attached to it.

[uyt]

It's conceptually the same, but JWT implies a specific data format standard which might be a more involved change architecturally.

I'm mentioning the cookie signature stuff because it can be added in an almost blackbox way at the web framework level. Whenever you send back something with set-cookie, also set a signature. Whenever receiving a request, check for that signature too. Though I guess it's not a good idea to try to "roll your own" if your web framework doesn't already support this out of the box.

(same disclaimer, I am not a security expert)