Reputation: 21
Simple question about session
I came across this example from Ruby's security page (http://guides.rubyonrails.org/security.html). It poses this scenario:
- A user receives credits, the amount is stored in a session (which is a bad idea anyway, but we’ll do this for demonstration purposes).
- The user buys something.
- His new, lower credit will be stored in the session.
- The dark side of the user forces him to take the cookie from the first step (which he copied) and replace the current cookie in the browser.
- The user has his credit back.
I'm a little confused, as I always understood that the session cookie's value is merely an identifier for the server-controlled session state. This example is saying that the cookie's state controls the session's state and that states of session on the server are maintained over time.
Can someone explain this? Thanks.
Upvotes: 2
Views: 68
Answers (1)
Reputation: 2199
That's true for server-side sessions, however this example is from 2.6 Replay Attacks for CookieStore Sessions. CookieStore stores what would usually be persisted in a server-side session in the cookie, and therefore on the client which makes it vunerable to the replay attack in the example.
Upvotes: 2
Related Questions
- What is the Working Flow of Session and Cookies together
- What should be stored in a session and what in a cookie?
- Understanding the relationship between HTTP Sessions and session cookies
- Cookies and session state in asp.net
- Session variables or cookies
- How are session variables effected by cookies?
- Is a session variable stored by default in a cookie?
- cookies and the session state object
- Is this true about cookies in PHP?
- .net HttpCookie class / session cookie questions