encrypted_cookie icon indicating copy to clipboard operation
encrypted_cookie copied to clipboard

Published 20 hours ago verified publisher icon cvonkleist

Use alternative serializer

Open namelessjon opened this issue 11 years ago • 3 comments

a la https://gist.github.com/mattetti/7624413

tl;dr: encrypted_cookie currently serializes via marshall. This means that anyone who discovers the session secret probably has remote code execution on the application. Which is pretty bad, obviously.

namelessjon avatar Nov 30 '13 11:11 namelessjon

personally I store a Hash with primitive in my session. so a json or (safe_)yaml would just do fine. via some config/options or so !!

mkristian avatar Nov 30 '13 16:11 mkristian

*several months elapse*

One snag in implementing this easily is the expiry time which was added. With e.g. JSON.dump, this is serialised to something like "2014-08-15 14:46:26 UTC" and then on JSON.load it is returned as a string, which can't be compared with the Time.

Options

  1. Add a check in the expiry code to Time.parse if given a string.
  2. Write some new JSON and/or YAML based serialiser which converts everything to primitives.
  3. Something else?

namelessjon avatar Aug 15 '14 14:08 namelessjon

Since the project seems no longer under maintained, I built another one: https://github.com/tonytonyjan/rack_encrypted_cookie

It's built on top of Rack::Session::Cookie, so you can customize the :coder as well, for example:

use Rack::Session::EncryptedCookie, secret: 'tonytonyjan', coder: Rack::Session::Cookie::Base64::JSON.new

There are 3 built -in serializers (coders) so far:

puts Rack::Session::Cookie::Base64.constants
# => [:Marshal, :JSON, :ZipJSON]

tonytonyjan avatar Dec 05 '16 15:12 tonytonyjan