views:

817

answers:

1

I was wondering whether there is any difference between a session and an encrypted cookie (configured to expire as the session cookie does).

Aren't they the exact same thing? Or Rails provides extra security for sessions?

+5  A: 

A session is a higher-level thing than a cookie. Sessions are collections of variables which persist for one user session only. Sessions can be stored in a cookie, in a database, or wherever a session-handling plugin chooses to store them. Cookies are now the default place where sessions are stored in modern versions of Rails. Note: when sessions are stored outside the cookie, there's an ID stored in the cookie so Rails can look up the session data in wherever it's stored (e.g. a database).

Now, let me move on to what I think you want to be asking: what's the difference between Rails' default session-storage (which uses an un-encrypted cookie) and Phusion's EncryptedCookieStore or any other encrypted-cookie session storage implementation? Why do you care about encrypting a session cookie?

According to http://agilewebdevelopment.com/plugins/encrypted_cookie_store, here's the crux of the difference: "EncryptedCookieStore is similar to Ruby on Rails's CookieStore (it saves session data in a cookie), but it uses encryption so that people can't read what's in the session data. This makes it possible to store sensitive data in the session.".

Note that there are multiple different EncryptedCookieStore's. AFAIK, you's want to use Phusion's EncryptedCookieStore and not ThinkRelevance's older EncryptedCookieStore.

If you're not encrypting cookies, then session data is easily readable by anyone with access to the cookie (either via network sniffer, disk access to the client, XSS, etc.) For details about how session vars are stored into cookies (along with security implications), look here: http://www.neeraj.name/2009/05/04/how-cookie-stores-session-data-in-rails.html.

Note that the default (non-encrytped) cookie storage is tamper-resistant (meaning Rails will reject a maliciously changed cookie). So if all you're worried about is preventing people from changing your cookies (but don't care if they see your cookies) then you're OK with the default.

Justin Grant
How is it tamper-resistent?
Jon
Rails uses an HMAC (http://en.wikipedia.org/wiki/HMAC) to guarantee that no one has modified the cookie from how Rails stored it there.
Justin Grant