Reputation: 5617
Do signed cookies increase security if entire site is served over ssl?
Using Rails, I'm working through a tutorial where the author advocates storing a user id with: cookies.permanent.signed[:user_id] = user.id
It seems sensible enough, but I'm curious: Does this actually increase the security of my site if the whole thing is served over ssl?
It's my understanding that cookies are encrypted along with all other response content. How would a signed cookie improve matters?
Upvotes: 0
Views: 128
Answers (1)
Reputation: 4435
Signed cookies protect you against a malicious client manipulating the value, not just an intermediary.
No matter how secure your SSL connection is, [without signed cookies] there's nothing to stop me changing my local browser cookie to contain user_id=1. A lot of the time that's not a big problem because the application can treat cookie values as untrusted, but signing instead means they can be trusted: the only way the client can have gotten that value is if the server previously sent it.
Upvotes: 5
Related Questions
- How to force a secure cookie over HTTP with Rails
- What is the difference between signed and encrypted cookies in Rails?
- How can I make cookies secure (https-only) by default in rails?
- Do I need to sign/encrypt cookies if I am using SSL?
- Should non-secure cookies be sent over HTTPS?
- Should I use cookies and sessions in Rails 4?
- Secure session cookies for rails application
- Signed cookies in Rails 3
- Security of Cookie-based sessions
- are cookies mandatory for Ruby on Rails app?