Reputation: 27852
How does session and cookie work in Rails 4?
As I understand one of the strategies to store sessions is store it in the cookie. There is one thing I don't understand from the docs:
To prevent session hash tampering, a digest is calculated from the session with a server-side secret and inserted into the end of the cookie.
What does this mean? How do they prevent that, if I get a cookie from another user, and I use it in my browser, I can't pretend I am the other user? I guess I don't understand what session hash tampering means.
Upvotes: 2
Views: 162
Answers (1)
Reputation: 17647
How do they prevent that, if I get a cookie from another user, and I use it in my browser, I can't pretend I am the other user?
This is called session hijacking, and is covered in http://guides.rubyonrails.org/security.html#session-hijacking. The recommended way to to mitigate this is by "always forcing SSL connection in your application config file", like so:
config.force_ssl = true
The whole http://guides.rubyonrails.org/security.html is definitely worth a read, for more goodness like this.
Upvotes: 3
Related Questions
- Rails sessions current practices
- What is the relation between cookies and the Rails session object?
- How session works in Rails
- How do sessions work in Ruby on Rails?
- How do sessions and cookies work in Rails?
- Ruby on Rails: How does cookies work?
- Should I use cookies and sessions in Rails 4?
- Rails v2.3 : Difference between session and cookies
- Rails Session Management
- Ruby on Rails security regarding session cookies