Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Sure, it's the default, but don't people realize never to trust clientside data? I don't know if CookieStore is signed or not, but I generally assume even if I sign the data it's not safe.

It's not that hard to just set up a Redis or whatever store to handle stuff like this, I never understood why people whouldn't bother.



Cookie store has always been signed and in rails 4 it's encrypted.


Very sloppy it wasn't encrypted from day 1 imo.


Day 1 was eight years ago. Care to tell which popular web frameworks did that then?


most popular web frameworks don't put data in the cookie, signed or not. yes it introduces different problems, but avoids this one.


How would you do it with redis exactly?


Same way ActionDispatch::Session::CacheStore does.

All session stores use a cookie to store a unique ID for each session...For most stores, this ID is used to look up the session data on the server, e.g. in a database table.

(obviously you'd substitute Redis for the database table mentioned above)




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: