I understand that the new CookieSessions use encryption to secure the
data inside the cookie. The +secret+ that is default defined in
config.action_controller.session in the environment.rb appears to be a
hexidemical key. A few questions regarding this:
1) Is the +secret+ converted from a hex string to a binary key?
2) Can I use any characters in the key
3) What key lengths can I use?
Also, a couple questions about the encryption algorithm:
1) What encryption algorithm is used.
2) What mode is the encryption algorithm operating in (eg. CBC,
One final question: Is the CookieSession attached to the user's IP
address in any way within the ActionController, or is this left to the
developer? (To prevent against a replay attack)