ruby-on-railssession-cookiesredis-rails

Is it secure to use redis-rails as session store?


When used as a session store, I noticed that redis-rails saves the session id in unencrypted format in the cookie. Shouldn't session id be treated as secure information and not be exposed in a cookie unencrypted to thwart session-hijacking attempts?


Solution

  • No.

    The session identifier cookie is the only (decent) way to link a client to a session. The client must have some sort of claim which they can pass along with the request so that we can identify them.

    This applies whether you are using CookieStore, Redis, ActiveRecord or memcached.

    Encrypting the session identifier with a fixed salt or no salt would do absolutely nothing but waste time since the attacker has access to the cookie anyways in a man-in-the-middle or XSS attack.

    If you used a salt you would have to link that to the user as well. Now you have two problems instead of one.

    While you could use a bunch of novel approaches like salting with the user agent, ip or anything else that you think you know about the client the security benefits are few.

    As @pvg said:

    Session id's merely have to be random, unpredictable and sufficiently large.

    Meaningful ways to protect the session are: