aboutsummaryrefslogtreecommitdiffstats
path: root/guides
diff options
context:
space:
mode:
authorNeeraj Singh <neerajdotname@gmail.com>2013-06-29 17:21:03 +0530
committerNeeraj Singh <neerajdotname@gmail.com>2013-06-29 17:21:03 +0530
commit1f35f04bf3dbc0c9cb4d213bbbc3cf0faf58c766 (patch)
treea137c692b0fefcc1229a326f7a3f4303e05d4d87 /guides
parent317aaa05883c92165cfb8204634b9fd9b976a97b (diff)
downloadrails-1f35f04bf3dbc0c9cb4d213bbbc3cf0faf58c766.tar.gz
rails-1f35f04bf3dbc0c9cb4d213bbbc3cf0faf58c766.tar.bz2
rails-1f35f04bf3dbc0c9cb4d213bbbc3cf0faf58c766.zip
cookies are encrypted starting Rails 4
Diffstat (limited to 'guides')
-rw-r--r--guides/source/action_controller_overview.md2
1 files changed, 1 insertions, 1 deletions
diff --git a/guides/source/action_controller_overview.md b/guides/source/action_controller_overview.md
index 6a91418e1f..6d8e620695 100644
--- a/guides/source/action_controller_overview.md
+++ b/guides/source/action_controller_overview.md
@@ -346,7 +346,7 @@ Your application has a session for each user in which you can store small amount
All session stores use a cookie to store a unique ID for each session (you must use a cookie, Rails will not allow you to pass the session ID in the URL as this is less secure).
-For most stores, this ID is used to look up the session data on the server, e.g. in a database table. There is one exception, and that is the default and recommended session store - the CookieStore - which stores all session data in the cookie itself (the ID is still available to you if you need it). This has the advantage of being very lightweight and it requires zero setup in a new application in order to use the session. The cookie data is cryptographically signed to make it tamper-proof, but it is not encrypted, so anyone with access to it can read its contents but not edit it (Rails will not accept it if it has been edited).
+For most stores, this ID is used to look up the session data on the server, e.g. in a database table. There is one exception, and that is the default and recommended session store - the CookieStore - which stores all session data in the cookie itself (the ID is still available to you if you need it). This has the advantage of being very lightweight and it requires zero setup in a new application in order to use the session. The cookie data is cryptographically signed to make it tamper-proof. And it is also encrypted so anyone with access to it can't read its contents. (Rails will not accept it if it has been edited).
The CookieStore can store around 4kB of data — much less than the others — but this is usually enough. Storing large amounts of data in the session is discouraged no matter which session store your application uses. You should especially avoid storing complex objects (anything other than basic Ruby objects, the most common example being model instances) in the session, as the server might not be able to reassemble them between requests, which will result in an error.