hi all,
i would like to know how safe is to use session variables like
session[:name]=something? can it be tampered by the user or somebody?
can we have it in methods in application.rb and application_helper.rb
for some validation and how safe is that too? i've different types of
users for whom views are also different so i was thinking of setting
them by session vars. is thr any other better way? any help is greatly
appreciated. thanks in advance. 
-Dhaval
hi all,
i would like to know how safe is to use session variables like session[:name]=something? can it be tampered by the user or somebody? can we have it in methods in application.rb and application_helper.rb for some validation and how safe is that too? i've different types of users for whom views are also different so i was thinking of setting them by session vars. is thr any other better way? any help is greatly appreciated. thanks in advance.
depends to the session store to an extent. With the cookie store the
entire session is stored as a cookie (and signed with a cryptographic
hash), so tampering with it is hard. Users can with fairly minimal
effort read what is in the session.
Fred
hi Fred,
thanks a lot for reply :). i'm not using cookies so i think it should be safe to use session vars then. one more thing i would like to know from ur reply is "depends to the session store to an extent", can u explain a bit more on this pls? do u mean the cookie or DB to store the session details or anything else?
-Dhaval
I meant that if you are using the CookieStore (the default since rails 2) then what i wrote applies, if not it doesn't since session data is stored somewhere on your server with all the other session stores.
Fred
Frederick Cheung wrote: