Ruby on Rails Cookie Session Storage
Cookie Session Storage
Since Rails 2.0 by default the session data is stored in the cookie
Learn Ruby on Rails - Ruby on Rails tutorial - session storage - Ruby on Rails examples - Ruby On Rails programs
Base64(CGI::escape(SESSION-DATA))--HMAC(secret_key, SESSION-DATA)
Learn Ruby on Rails - Ruby on Rails tutorial - session storage - Ruby on Rails examples - Ruby On Rails programs
Security implications
- The user can view the session data in plain text
- The HMAC can be brute-forced and arbitrary session data could be created
- Replay attacks are easier as you cannot flush the client-side session
Countermeasures
- Don’t store important data in the session!
- Use a strong password,
- Rails already forces at least 30 characters
- Invalidate sessions after certain time on the server side
Rails default session secret
Learn Ruby on Rails - Ruby on Rails tutorial - default session - Ruby on Rails examples - Ruby On Rails programs
Set HTTPS only cookies