Ruby on Rails Cookie Session Storage
Cookie Session Storage
Since Rails 2.0 by default the session data is stored in the cookie
![session storage](https://wikitechy.com/tutorials/ruby-on-rails/img/ruby-on-rails-images/session-storage.png)
Learn Ruby on Rails - Ruby on Rails tutorial - session storage - Ruby on Rails examples - Ruby On Rails programs
Base64(CGI::escape(SESSION-DATA))--HMAC(secret_key, SESSION-DATA)
![session storage](https://wikitechy.com/tutorials/ruby-on-rails/img/ruby-on-rails-images/session-storage-example.png)
Learn Ruby on Rails - Ruby on Rails tutorial - session storage - Ruby on Rails examples - Ruby On Rails programs
Security implications
- The user can view the session data in plain text
- The HMAC can be brute-forced and arbitrary session data could be created
- Replay attacks are easier as you cannot flush the client-side session
Countermeasures
- Don’t store important data in the session!
- Use a strong password,
- Rails already forces at least 30 characters
- Invalidate sessions after certain time on the server side
Rails default session secret
![default session](https://wikitechy.com/tutorials/ruby-on-rails/img/ruby-on-rails-images/default-session.png)
Learn Ruby on Rails - Ruby on Rails tutorial - default session - Ruby on Rails examples - Ruby On Rails programs
Set HTTPS only cookies
![Http cookies](https://wikitechy.com/tutorials/ruby-on-rails/img/ruby-on-rails-images/http-cookies.png)