Is someone able to hack and create a rails session cookie?

Question

Random question but is it possible for anyone to hack and create a session cookie in a browser for a site?

Reason I ask is because, I'm currently working on creating callbacks in rails. My callbacks are checking to see if

before_action :employee_logged_in? [:edit, :update]
...
Private
def employee_logged_in?
  if session[:current_employee_id].nil?
    flash[:danger] = "Employee needs to be logged in"
    redirect_to login_path
  end
end

So in this way, if someone was able to create a session cookie and place it on the browser, then technically they could access any restricted pages (in this example, the edit and update routes)

Is this secure or am I suppose to store the session cookies in a database and check it against the database for the specific session cookie?

Answer 1

The cookie store uses a digest to prevent tampering. If the user changes the current_employee_id, then the server will know the session has been edited and not use it.

From Ruby on Rails Security Guide

To prevent session hash tampering, a digest is calculated from the session with a server-side secret and inserted into the end of the cookie.