CookieSession Encryption

I understand that the new CookieSessions use encryption to secure the
data inside the cookie. The +secret+ that is default defined in
config.action_controller.session in the environment.rb appears to be a
hexidemical key. A few questions regarding this:

  1. Is the +secret+ converted from a hex string to a binary key?
  2. Can I use any characters in the key
  3. What key lengths can I use?

Also, a couple questions about the encryption algorithm:

  1. What encryption algorithm is used.
  2. What mode is the encryption algorithm operating in (eg. CBC,
    stream, etc.)

One final question: Is the CookieSession attached to the user’s IP
address in any way within the ActionController, or is this left to the
developer? (To prevent against a replay attack)


Travis

On 12/18/07, tekwiz [email protected] wrote:

I understand that the new CookieSessions use encryption to secure the
data inside the cookie. The +secret+ that is default defined in
config.action_controller.session in the environment.rb appears to be a
hexidemical key. A few questions regarding this:

  1. Is the +secret+ converted from a hex string to a binary key?

no

  1. Can I use any characters in the key

yes

  1. What key lengths can I use?

anything 30 bytes or longer

Also, a couple questions about the encryption algorithm:

  1. What encryption algorithm is used.
  2. What mode is the encryption algorithm operating in (eg. CBC,
    stream, etc.)

The cookie is signed with a message digest. It is not encrypted.

The default is HMAC-SHA1 but you can choose any OpenSSL-supported hash
you like.

One final question: Is the CookieSession attached to the user’s IP
address in any way within the ActionController, or is this left to the
developer? (To prevent against a replay attack)

It’s up to you.

jeremy

Thank, you. I believe I understand now, but correct me if I’m wrong.

The cookie data is not encrypted at all. It is always in plaintext.
However, the cookie data is hashed with the secret (aka. a salt) and
that is also in the cookie for verification upon the next request.

On 12/18/07, tekwiz [email protected] wrote:

Thank, you. I believe I understand now, but correct me if I’m wrong.

The cookie data is not encrypted at all. It is always in plaintext.
However, the cookie data is hashed with the secret (aka. a salt) and
that is also in the cookie for verification upon the next request.

Yes. Though we use a message digest (HMAC-SHA1) not a simple hash with
salt.

jeremy

On Dec 19, 2007, at 7:31 AM, tekwiz wrote:

Thank, you. I believe I understand now, but correct me if I’m wrong.

The cookie data is not encrypted at all. It is always in plaintext.

Just in case: if you ask whether the data is right there as usual it
is not because it is encoded in Base64. There’s no encryption, the
data is readable, and you decode it if you want to see it.

– fxn

This forum is not affiliated to the Ruby language, Ruby on Rails framework, nor any Ruby applications discussed here.

| Privacy Policy | Terms of Service | Remote Ruby Jobs