session[:] variables

hi all,

   i would like to know how safe is to use session variables like
session[:name]=something? can it be tampered by the user or somebody?
can we have it in methods in application.rb and application_helper.rb
for some validation and how safe is that too? i've different types of
users for whom views are also different so i was thinking of setting
them by session vars. is thr any other better way? any help is greatly
appreciated. thanks in advance. :slight_smile:

-Dhaval

hi all,

  i would like to know how safe is to use session variables like
session[:name]=something? can it be tampered by the user or somebody?
can we have it in methods in application.rb and application_helper.rb
for some validation and how safe is that too? i've different types of
users for whom views are also different so i was thinking of setting
them by session vars. is thr any other better way? any help is greatly
appreciated. thanks in advance. :slight_smile:

depends to the session store to an extent. With the cookie store the
entire session is stored as a cookie (and signed with a cryptographic
hash), so tampering with it is hard. Users can with fairly minimal
effort read what is in the session.

Fred

hi Fred,

   thanks a lot for reply :). i'm not using cookies so i think it should
be safe to use session vars then. one more thing i would like to know
from ur reply is "depends to the session store to an extent", can u
explain a bit more on this pls? do u mean the cookie or DB to store the
session details or anything else?

-Dhaval

I meant that if you are using the CookieStore (the default since rails
2) then what i wrote applies, if not it doesn't since session data is
stored somewhere on your server with all the other session stores.

Fred

Frederick Cheung wrote: