diff options
| author | Dhia Eddine Chouchane <dhiachouchane@gmail.com> | 2015-08-06 09:08:11 +0100 |
|---|---|---|
| committer | Dhia Eddine Chouchane <dhiachouchane@gmail.com> | 2015-08-06 09:08:11 +0100 |
| commit | 87f0e6719f8646ae5c5fdcad5c1b7757a36c3ed3 (patch) | |
| tree | c272187163b31cc78b5dbe4260095fe4b9dc0320 /guides/source/security.md | |
| parent | 3d32a50ca1933ee96abbe5db7ee99617fd0c328c (diff) | |
| download | rails-87f0e6719f8646ae5c5fdcad5c1b7757a36c3ed3.tar.gz rails-87f0e6719f8646ae5c5fdcad5c1b7757a36c3ed3.tar.bz2 rails-87f0e6719f8646ae5c5fdcad5c1b7757a36c3ed3.zip | |
Outdated information about session storage updated [ci skip]
The guide contains information about Rails 2 storing mechanism, but not Rails 4.
Enhanced the accuracy and coherence of information (There was a part saying "Older versions of Rails use CookieStore, which uses `secret_token` instead of `secret_key_base` that is used by EncryptedCookieStore." while there was no mention of EncryptedCookieStore before)
Diffstat (limited to 'guides/source/security.md')
| -rw-r--r-- | guides/source/security.md | 6 |
1 files changed, 4 insertions, 2 deletions
diff --git a/guides/source/security.md b/guides/source/security.md index 485b108d12..edce41516f 100644 --- a/guides/source/security.md +++ b/guides/source/security.md @@ -93,9 +93,11 @@ Rails 2 introduced a new default session storage, CookieStore. CookieStore saves * Cookies imply a strict size limit of 4kB. This is fine as you should not store large amounts of data in a session anyway, as described before. _Storing the current user's database id in a session is usually ok_. -* The client can see everything you store in a session, because it is stored in clear-text (actually Base64-encoded, so not encrypted). So, of course, _you don't want to store any secrets here_. To prevent session hash tampering, a digest is calculated from the session with a server-side secret and inserted into the end of the cookie. +* The client can see everything you store in a session, because it is stored in clear-text (actually Base64-encoded, so not encrypted). So, of course, _you don't want to store any secrets here_. To prevent session hash tampering, a digest is calculated from the session with a server-side secret (`secrets.secret_token`) and inserted into the end of the cookie. -That means the security of this storage depends on this secret (and on the digest algorithm, which defaults to SHA1, for compatibility). So _don't use a trivial secret, i.e. a word from a dictionary, or one which is shorter than 30 characters_. +However, since Rails 4, the default store is EncryptedCookieStore. With EncryptedCookieStore the session is encrypted before being stored in a cookie. This prevents the user access to the content of the cookie and prevents him from tampering its content as well. Thus the session becomes a more secure place to store data. The encryption is done using a server-side secret key `secrets.secret_key_base` stored in `config/secrets.yml`. + +That means the security of this storage depends on this secret (and on the digest algorithm, which defaults to SHA1, for compatibility). So _don't use a trivial secret, i.e. a word from a dictionary, or one which is shorter than 30 characters, use `rake secrets` instead_. `secrets.secret_key_base` is used for specifying a key which allows sessions for the application to be verified against a known secure key to prevent tampering. Applications get `secrets.secret_key_base` initialized to a random key present in `config/secrets.yml`, e.g.: |