RubyFlow : The Ruby Community Blog

Home   Submit   Sign Up   Log In   leaders   Twitter   RSS Feed  

Rails cookies are dangerous

Turns out, Rails cookies can be dangerous and they don't play nice with others.

Signed and encrypted cookies (sessions, remember me etc..) are serialized using Marshal which is problematic for two reasons: security (someone with the session key can execute arbitrary code server side)and compatibility (you can't share a session with a non Ruby app).

You can't currently change Rails default serializer, but here is a monkey patch for Rails 4. And here is a discussion about changing Rails default serializer.

Please consider helping with the pull request the Rails team wants us to come up with.


Post a Comment

Comment abilities for non registered users are currently deactivated, pending time to add a proper CAPTCHA to solve the escalating spam problem. Sorry!