I have read a bunch of stuff saying that one con of using the cookie store in a Rails app is that the client can see the cookie data. However, I looked at the cookie data and it is encrypted. Is it relatively easy to decrypt the cookie data?
+3
A:
The default cookie store in Rails isn't encrypted, it's Base64 encoded. Base64 encoding is simply a way to represent binary data in ASCII, and should not be thought of as "encryption" by any stretch of the imagination; anyone can decode it.
Meredith L. Patterson
2009-08-04 21:57:32
ah, that's the ticket.
Tony
2009-08-04 22:08:25
+1
A:
The session data stored is signed using the below information you setup in your config.rb file.
Rails::Initializer.run do |config|
config.action_controller.session = {
:session_key => '_store_session',
:secret => '851939c37d94574e284ded8437d4ea3447dae24cc5bda61d8eaf2731d49273bc4c620'
}
end
So while it is not easy to read, it is not impossible with enough time and effort.
Here is a bunch of link that discuss this issue at length but the general consensus is that this is not a flawed implementation and that you should not store anything in the session that is too critical.
- http://blog.thinkrelevance.com/2008/1/27/rails-the-cookie-store-and-security
- http://railscasts.com/episodes/84-cookie-based-session-store
- http://www.caboo.se/articles/2007/2/21/new-controversial-default-rails-session-storage-cookies
- http://www.technicalinfo.net/papers/WebBasedSessionManagement.html
- http://www.quarkruby.com/2007/9/20/ruby-on-rails-security-guide#sessions
dave elkins
2009-08-04 22:04:21
The client-side data isn't encrypted, it's signed with the secret key. Big difference. The signature means that the client can verify whether the cookie data has been tampered with (if it's been altered, the signature won't match), but this doesn't stop anyone who intercepts the cookie data from being able to read it.
Meredith L. Patterson
2009-08-04 22:08:00
a good article from carsonified.com about secure cookies: http://carsonified.com/blog/dev/how-to-create-totally-secure-cookies/
dave elkins
2009-08-24 14:41:36
+1
A:
It is worth knowing that rails < 1.2.6 suffered from a session-fixation vulnerability makes it easy steal someone else's ID / session
Rails 1.2.4 Release Notes http://weblog.rubyonrails.org/2007/10/5/rails-1-2-4-maintenance-release
Rails 1.2.6 Release Notes http://weblog.rubyonrails.org/2007/11/24/ruby-on-rails-1-2-6-security-and-maintenance-release
CVE-2007-5380 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5380
CVE-2007-6077 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6077
Cheekysoft
2009-08-05 16:36:47