Reputation: 81
Rails: Where is message digest of sessions using default CookieStore
According to this question, session can be edited by user. But this answer suggests it's safe to store user id.
From Rails document
A message digest is included with the cookie to ensure data integrity: a user cannot alter his user_id without knowing the secret key included in the hash
With <%= debug(session) %> embedded in my page and the session value in Chrome's Developer tools, I can't find the message digest in the session cookie. If I login as user A and then login as user B, the session cookie remains the same excecpt user_id value.
So where is the message digest or do I need some configuration? The auto-generated secret_token exists in config/initializers/secret_token.rb. Is it stored in the server's memory and hash the session value on every request?
Upvotes: 1
Views: 180
Answers (1)
Reputation: 84132
The message digest is part of the cookie value. It's not part of the data you get in the session.
You can see it if you inspect the raw cookie value in chrome - the digest is separated from the payload by a '--'
Upvotes: 1
Related Questions
- Where is the Session Stored in Rails?
- Rails 3 disabling session cookies
- Rails 4 - on the server, how do I list all the cookies and their values that have been sent from the client?
- Where is Rails actually writing the Set-Cookie header for _session_id?
- How can I debug sessions and cookies in Rails 3?
- where in the Rails 3 stack are cookie_store-based sessions verified?
- Rails Session Management
- Rails 3: Disable session cookies
- rails 3 cookies
- how can you tell if session cookies are being used?