I understand that the new CookieSessions use encryption to secure the
data inside the cookie. The +secret+ that is default defined in
config.action_controller.session in the environment.rb appears to be a
hexidemical key. A few questions regarding this:
Is the +secret+ converted from a hex string to a binary key?
Can I use any characters in the key
What key lengths can I use?
Also, a couple questions about the encryption algorithm:
What encryption algorithm is used.
What mode is the encryption algorithm operating in (eg. CBC,
stream, etc.)
One final question: Is the CookieSession attached to the user’s IP
address in any way within the ActionController, or is this left to the
developer? (To prevent against a replay attack)
I understand that the new CookieSessions use encryption to secure the
data inside the cookie. The +secret+ that is default defined in
config.action_controller.session in the environment.rb appears to be a
hexidemical key. A few questions regarding this:
Is the +secret+ converted from a hex string to a binary key?
no
Can I use any characters in the key
yes
What key lengths can I use?
anything 30 bytes or longer
Also, a couple questions about the encryption algorithm:
What encryption algorithm is used.
What mode is the encryption algorithm operating in (eg. CBC,
stream, etc.)
The cookie is signed with a message digest. It is not encrypted.
The default is HMAC-SHA1 but you can choose any OpenSSL-supported hash
you like.
One final question: Is the CookieSession attached to the user’s IP
address in any way within the ActionController, or is this left to the
developer? (To prevent against a replay attack)
Thank, you. I believe I understand now, but correct me if I’m wrong.
The cookie data is not encrypted at all. It is always in plaintext.
However, the cookie data is hashed with the secret (aka. a salt) and
that is also in the cookie for verification upon the next request.
Thank, you. I believe I understand now, but correct me if I’m wrong.
The cookie data is not encrypted at all. It is always in plaintext.
However, the cookie data is hashed with the secret (aka. a salt) and
that is also in the cookie for verification upon the next request.
Yes. Though we use a message digest (HMAC-SHA1) not a simple hash with
salt.
Thank, you. I believe I understand now, but correct me if I’m wrong.
The cookie data is not encrypted at all. It is always in plaintext.
Just in case: if you ask whether the data is right there as usual it
is not because it is encoded in Base64. There’s no encryption, the
data is readable, and you decode it if you want to see it.
– fxn
This forum is not affiliated to the Ruby language, Ruby on Rails framework, nor any Ruby applications discussed here.