RailsCasts Pro episodes are now free!

Learn more or hide this

yfujiki's Profile

GitHub User: yfujiki

Comments by

Avatar

My bad. I didn't know that Rails3 session cookies are tamper proof... Wow, that makes my life really easy!

Avatar

Hello Ryan. Thank you for great tutorials! :)

I didn't quite get this comment though. Isn't it what session hijacking is about?

I may be misunderstanding your comment, so please correct me if my basic understanding about the security design is wrong.

  1. If some malicious people gets user_id, he can create a request with session[:user_id] to by-pass login. So, it is always better to use SSL to avoid session cookies to be sniffed out.

  2. To enhance the security further in highly sensitive system, it would be better to use a session id that changes its value according to the login time (unlike user_id)