Rails, The Cookie Store, and Security

Tobi, Bob and David are all exactly dead spot on right. The Rails cookie store works as designed, data stored there should be tamper-proof and signed, and you are indeed the poorest kind of web programmer if you are assigning strong, valuable data into a cookie. Right, right, and right again.

However, the rub here is that:

  • Rails is an awfully popular web framework,
  • used by all kinds of developers, from neck-bearded Unix geeks down to baby-bottom-smooth-chinned highschool geeks,
  • for all kinds of applications.

Given that the cookie store is the default session store, and that people either accidentally or on purpose store all kinds of goop in the session (often transiently, sometimes for the length of the session), then it behooves people to have a way to default to a more secure version. That's all the EncryptedCookieStore is for: guaranteeing that if you screw up your app, you don't also screw up your users.

So, in order to be clear: Relevance in no way suggests that you should store anything of any value in a cookie. In fact, we'll shake our heads in disgust and drag you out behind the woodshed if we catch you doing it, you're darn tootin'. But if you want to make sure that you don't accidentally reveal something through this mechanism, defaulting it away might be useful.

And I did not mean to imply that the Rails team was either negligent, ignorant, or foolish for implementing the cookie store the way they did. I understand the reasoning well; our plugin is a safeguard against accidental misuse, not willful stupidity (we hope ;-) ).

Get In Touch