The HMAC function should already be keyed. So normally HMAC is shown as HMAC(K, M)
where K
is the key and M
is the message. So candidate 2 does not make sense in that regard; it would mean that the key K
is included 3 times in the calculation (as the key is used two times in HMAC itself).
Using a cookie with unguessable data does not make sense either, for the same reason. Part of the input of HMAC is the key K
, which is already unguessable data. So you would not gain any security, and you would be complicating your protocol.
Now AES should be used in CBC or CTR mode. ECB mode of encryption is unsafe. So that means you require a random IV (CBC) or a unique IV (CTR). This IV should be part of the HMAC, otherwise it is still possible for an attacker to alter the plaintext you get after decryption.