RubyFlow The Ruby and Rails community linklog


The Ruby and Rails community linklog

Made a library? Written a blog post? Found a useful tutorial? Share it with the Ruby community here or just enjoy what everyone else has found!

Rails cookies are dangerous

Turns out, Rails cookies can be dangerous and they don’t play nice with others.

Signed and encrypted cookies (sessions, remember me etc..) are serialized using Marshal which is problematic for two reasons: security (someone with the session key can execute arbitrary code server side)and compatibility (you can’t share a session with a non Ruby app).

You can’t currently change Rails default serializer, but here is a monkey patch for Rails 4. And here is a discussion about changing Rails default serializer.

Please consider helping with the pull request the Rails team wants us to come up with.

Post a comment

You can use basic HTML markup (e.g. <a>) or Markdown.

As you are not logged in, you will be
directed via GitHub to signup or sign in