Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

What is the difference between signed and encrypted cookies in Rails?

Tags:

ruby-on-rails

cookies

session-cookies

The documentation of ActionDispatch::Cookies gives nearly identical descriptions for both signed cookies and encrypted cookies. It appears that both use secrets.secret_key_base to prevent client-side tampering. http://api.rubyonrails.org/classes/ActionDispatch/Cookies.html

Signed Cookies

Sets a signed cookie, which prevents users from tampering with its value. The cookie is signed by your app's secrets.secret_key_base value. It can be read using the signed method cookies.signed[:name]

cookies.signed[:user_id] = current_user.id

Encrypted cookies

Sets an encrypted cookie value before sending it to the client which prevent users from reading and tampering with its value. The cookie is signed by your app's secrets.secret_key_base value. It can be read using the encrypted method cookies.encrypted[:name]

cookies.encrypted[:discount] = 45

My question is: What is the difference between the two?

When would you want to use one over the other?

like image 896
Sean Huber Avatar asked Jan 04 '17 15:01

Sean Huber

1 Answers

It's subtle, but the answer is in the documentation you provided. Signed cookies only guard against tampering, while encrypted cookies guard against reading and tampering.

More specifically, signed cookies call ActiveSupport::MessageVerifier to append a digest (generated using secret_key_base) to the cookie. If the value of the cookie is modified, the digest will no longer match, and without knowing the value of secret_key_base, the cookie cannot be signed. The value of the cookie is merely base64 encoded, however, and can be read by anyone.

Encrypted cookies called ActiveSupport::MessageEncryptor to actually encrypt the value of the cookie before generating the digest. Similar to signed cookies, if the value of cookie is modified the digest will no longer match, but additionally the value of the cookie cannot be decrypted without the secret_key_base.

As to when you'd use encrypted versus signed cookies, it comes down to the sensitivity of the information you're storing in the cookie. If all you want to protect against is someone modifying the cookie, then sign it - but if you also need to keep the data secret, encrypt it.

like image 81
Brian Avatar answered Sep 18 '22 13:09

Brian
Sign in to Comment

Related questions

Validation failed Class must exist
Unpermitted Parameters adding new fields to Devise in rails 4.0
How to define action with simple form for?
Include associated model when rendering JSON in Rails
usage of attr_accessor in Rails
Bootstrap: 'TypeError undefined is not a function'/'has no method 'tab'' when using bootstrap-tabs
Rails 3 -- Bundler/Capistrano Errors
Upgraded Rails to 6, getting Blocked host Error
Twitter bootstrap modal input field focus
Is it impossible to use Guard with RubyMine?
Rails4: How to permit a hash with dynamic keys in params?
Setting Environment Variables in Rails 3 (Devise + Omniauth)
Visit method not found in my rspec
Multiple objects in a Rails form
How to filter parameters in rails?
Why do I get an "undefined method for `has_attached_file` when installing PaperClip?
How do I get ActiveRecord to show the next id (last + 1) in Ruby on Rails?
Authenticate user using omniauth and Facebook for a rails API?
Rails belongs_to many models [closed]
TypeError: no implicit conversion of Symbol into Integer

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!