I understand that the new CookieSessions use encryption to secure the
data inside the cookie. The +secret+ that is default defined in
config.action_controller.session in the environment.rb appears to be a
hexidemical key. A few questions regarding this:
1) Is the +secret+ converted from a hex string to a binary key?
2) Can I use any characters in the key
3) What key lengths can I use?
Also, a couple questions about the encryption algorithm:
1) What encryption algorithm is used.
2) What mode is the encryption algorithm operating in (eg. CBC,
stream, etc.)
One final question: Is the CookieSession attached to the user''s IP
address in any way within the ActionController, or is this left to the
developer? (To prevent against a replay attack)
--
Travis
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Talk" group.
To post to this group, send email to
rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
To unsubscribe from this group, send email to
rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
For more options, visit this group at
http://groups.google.com/group/rubyonrails-talk?hl=en
-~----------~----~----~----~------~----~------~--~---
On 12/18/07, tekwiz <twarlick-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> wrote:> I understand that the new CookieSessions use encryption to secure the > data inside the cookie. The +secret+ that is default defined in > config.action_controller.session in the environment.rb appears to be a > hexidemical key. A few questions regarding this: > > 1) Is the +secret+ converted from a hex string to a binary key?no> 2) Can I use any characters in the keyyes> 3) What key lengths can I use?anything 30 bytes or longer> Also, a couple questions about the encryption algorithm: > > 1) What encryption algorithm is used. > 2) What mode is the encryption algorithm operating in (eg. CBC, > stream, etc.)The cookie is signed with a message digest. It is not encrypted. The default is HMAC-SHA1 but you can choose any OpenSSL-supported hash you like.> One final question: Is the CookieSession attached to the user''s IP > address in any way within the ActionController, or is this left to the > developer? (To prevent against a replay attack)It''s up to you. jeremy --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---
Thank, you. I believe I understand now, but correct me if I''m wrong. The cookie data is not encrypted at all. It is always in plaintext. However, the cookie data is hashed with the secret (aka. a salt) and that is also in the cookie for verification upon the next request. On Dec 18, 10:56 pm, "Jeremy Kemper" <jer...-w7CzD/W5Ocjk1uMJSBkQmQ@public.gmane.org> wrote:> On 12/18/07, tekwiz <twarl...-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> wrote: > > > I understand that the new CookieSessions use encryption to secure the > > data inside the cookie. The +secret+ that is default defined in > > config.action_controller.session in the environment.rb appears to be a > > hexidemical key. A few questions regarding this: > > > 1) Is the +secret+ converted from a hex string to a binary key? > > no > > > 2) Can I use any characters in the key > > yes > > > 3) What key lengths can I use? > > anything 30 bytes or longer > > > Also, a couple questions about the encryption algorithm: > > > 1) What encryption algorithm is used. > > 2) What mode is the encryption algorithm operating in (eg. CBC, > > stream, etc.) > > The cookie is signed with a message digest. It is not encrypted. > > The default is HMAC-SHA1 but you can choose any OpenSSL-supported hash you like. > > > One final question: Is the CookieSession attached to the user''s IP > > address in any way within the ActionController, or is this left to the > > developer? (To prevent against a replay attack) > > It''s up to you. > > jeremy--~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---
On 12/18/07, tekwiz <twarlick-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> wrote:> Thank, you. I believe I understand now, but correct me if I''m wrong. > > The cookie data is not encrypted at all. It is always in plaintext. > However, the cookie data is hashed with the secret (aka. a salt) and > that is also in the cookie for verification upon the next request.Yes. Though we use a message digest (HMAC-SHA1) not a simple hash with salt. jeremy --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---
On Dec 19, 2007, at 7:31 AM, tekwiz wrote:> Thank, you. I believe I understand now, but correct me if I''m wrong. > > The cookie data is not encrypted at all. It is always in plaintext.Just in case: if you ask whether the data is right there as usual it is not because it is encoded in Base64. There''s no encryption, the data is readable, and you decode it if you want to see it. -- fxn --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---