Looking for advice on CRYPTO::sign and CRYPTO::verify

Granted there are a bunch of different things you can do with these commands, here's a very basic example:

set secret_key "foobar1234"

set data "This is my data"

set signed_data [CRYPTO::sign -alg hmac-sha1 -key $secret_key $data]

if { [CRYPTO::verify -alg hmac-sha1 -key $secret_key -signature $signed_data $data] } {
    log local0. "Data verified"
}

The secret key will normally be some large string, size generally dictated by algorithm. The data is just whatever content you want to sign. The result of the [CRYPTO::sign ] command will be a binary value, so if you're going store this somewhere, probably best to b64encode it first. The [CRYPTO::verify ] command essentially takes the original data and the digital signature of that data (derived from [CRYPTO::sign ]), decrypts that digital signature with the key, creates a new hash of the data, and then compares the two hashes. If they're the same, then the contents have not been modified.

Now, for what it's worth, you can encrypt a cookie with a lot less effort using the AES command. Further, an encrypted cookie only verifies that the cookie wasn't tampered with. It does not, however, protect against a cookie being stolen. It's also best practice, from a security perspective, not to put anything in a client side cookie that's of any value (that could affect server side logic with some manipulation). Then you don't have to worry about encrypting or signing the cookie.