Security of Rails authentication with session[:user_id]

Question

I've noticed a lot of Rails authentication tutorials store the user ID in session[:user_id] to remember the user and authenticate them. Assuming there is somewhere in the app that user_ids are exposed publicly (URLs, property on an HTML attribute, etc.), isn't this insecure since I could just edit my session cookie to use someone else's user_id? Am I missing something here?

Answer 1

According to the Rails Security Guide: "To prevent session hash tampering, a digest is calculated from the session with a server-side secret and inserted into the end of the cookie."

So it looks like the Session can be presumed to be safe from the user tampering with it (assuming our server side secret is kept safe). However, a user still can read anything in the session hash, so we wouldn't want to store sensitive information.

Answer 2

The cookie tends to not contain the user_id, it contains the session key, which is essentially a random, meaning-free string of characters. The session is stored on the server (in the database, or memcached, or a nosql store like redis etc), and the session holds the user id.

So, the session record (serverside only) for a given user might contain this data:

key:  asoiuoi09u23uo8789289askho2
user_id: 1234

And the cookie (client side) holds the session key, so the cookie looks like this:

name: somecookiename
site: www.yoursite.com
content: asoiuoi09u23uo8789289askho2

So, to access someone else's session you would need to get hold of their session key. This is by no means impossible (see session-sniffing) but is made much harder by the use of https (which in turn require SSL certs).