Reputation: 2421
When authenticating with Omniauth, what data should I store in the cookie?
I'm using Sinatra and Omniauth (specifically, google oauth2) to serve a website. I'm somewhat confused over what data is safe to store in the cookie and what isn't.
I'm inclined to say that I should simply store an authorized => true field in the cookie, once I have confirmed that the AuthHash contains an access token. The cookie is protected using Rack::Sesssion::Cookie and :secret => "some-really-long-and-strong-password". Is this thinking correct?
Furthermore, if someone wants to hack the site (i.e. login without actually logging in), all they need to do is successfully break the cookie's secret and make a fake cookie with authorized => true, right?
I don't see any value in storing the actual access key stored in the credentials portion of the Omniauth::AuthHash, since this seems to be the sensitive information...
Upvotes: 1
Views: 159
Answers (1)
Reputation: 714
I'm somewhat confused over what data is safe to store in the cookie and what isn't.
In general, this is the worst scenario if someone steals a user cookie:
- Hijack the user's session
- Steal all data contained in the cookie
- Gain unauthorized access
I think what you want to use is a form of authenticity token that you can pass back and forth to verify the authenticity of the user and their requests.
References
I'd check out the sections Example and characteristics and Prevention in particular.
Upvotes: 2
Related Questions
- Custom strategy for Omniauth
- OAuth in Rails without cookies?
- Passing parameters through OmniAuth
- How can I view user's personal data with omniauth?
- How to store OAuth data
- OmniAuth/OAuth Authentication from a ruby script
- omniauth-identity auth_key
- What to do with access token(from the Auth Hash) in Omniauth?
- Authentication from scratch - How safe are the cookies from being tampered with?
- Rails and Omniauth - How much data from the authentication hash should I be saving?