Ralph Shnelvar wrote:
The line that concerns me is
session[:user_id] = user.id
Given that the session data is likely to be stored in cookies, and given
that user.id is likely to be a relatively small number (less than a
million) ... how secure is this as a flag to indicate that someone is an
authorized user of a store??? Couldn't an unauthorized user create the
session[:user_id] = user.id and then get access?
A good question! You are thinking the right way. Fortunately this
question has been asked already and the answer is that the session is
a signed piece of data using an HMAC. This means that if an attacker
tries to change the values in the session store that the signature
will fail. The signature check in Rails will catch this and the user
will see a 422 error. Try it!
Note that the session is only signed and not encrypted. So don't
store anything there that you don't want the user to be able to see.
It is only protected from modification and not protected from being
Here is a good guide for further information.