Ruby on Rails Cookie Session Storage



Cookie Session Storage

Since Rails 2.0 by default the session data is stored in the cookie

 session storage
Learn Ruby on Rails - Ruby on Rails tutorial - session storage - Ruby on Rails examples - Ruby On Rails programs

Base64(CGI::escape(SESSION-DATA))--HMAC(secret_key, SESSION-DATA)

 session storage
Learn Ruby on Rails - Ruby on Rails tutorial - session storage - Ruby on Rails examples - Ruby On Rails programs

Security implications

  • The user can view the session data in plain text
  • The HMAC can be brute-forced and arbitrary session data could be created
  • Replay attacks are easier as you cannot flush the client-side session

Countermeasures

  • Don’t store important data in the session!
  • Use a strong password,
  • Rails already forces at least 30 characters
  • Invalidate sessions after certain time on the server side

Rails default session secret

 default session
Learn Ruby on Rails - Ruby on Rails tutorial - default session - Ruby on Rails examples - Ruby On Rails programs

Set HTTPS only cookies

 Http cookies
Learn Ruby on Rails - Ruby on Rails tutorial - Http cookies - Ruby on Rails examples - Ruby On Rails programs

Related Searches to Ruby on Rails Cookie Session Storage