CookieSession Encryption

Travis_D_Warlick_Jr · December 19, 2007, 1:35am

I understand that the new CookieSessions use encryption to secure the data inside the cookie. The +secret+ that is default defined in config.action_controller.session in the environment.rb appears to be a hexidemical key. A few questions regarding this:

1) Is the +secret+ converted from a hex string to a binary key? 2) Can I use any characters in the key 3) What key lengths can I use?

Also, a couple questions about the encryption algorithm:

1) What encryption algorithm is used. 2) What mode is the encryption algorithm operating in (eg. CBC, stream, etc.)

One final question: Is the CookieSession attached to the user's IP address in any way within the ActionController, or is this left to the developer? (To prevent against a replay attack)

Josh_Susser · December 19, 2007, 2:04am

Travis,

This list is for discussion of development of Rails itself. Questions about using Rails should go to the rubyonrails-talk list. I can't tell if you are proposing changing any of those things - if you are, this is the right place. If you are just trying to get information on how this works, the -talk list is the place to go.

Travis_D_Warlick_Jr · December 19, 2007, 2:28am

Josh,

My apologies. I have posted to the Talk list.

Thanks for pointing me in the right direction.

Topic		Replies	Views
CookieSession Encryption rubyonrails-talk	4	201	December 19, 2007
Given the session key and secret, how can we decrypt cookie-based sessions? rubyonrails-talk	1	801	December 21, 2009
Cookie value encryption rubyonrails-talk	4	121	August 7, 2007
CookieSession recommendations rubyonrails-core	9	150	December 21, 2007
Cookie session security and open-source rubyonrails-core	12	192	August 12, 2008

CookieSession Encryption

Related topics

More Resources