The client cannot forge or modify sessions because he cannot generate
valid signatures across the modified data. The server checks the hash on each request
and raises a TamperedWithCookie exception if the hash does not match the data. This is
the standard way to store data with an untrusted client while still assuring integrity.
In Rails 2.0, the CookieStore is now the default session store. The CookieStore
requires a secret key or phrase and session cookie key to be defined; it will raise an
Web Issues | 139
exception if either of these are missing. These options can be set alongside other session
options in config/environment.rb:
config.action_controller.session = {
:session_key => "_myapp_session",
:secret => "Methinks it is like a weasel"
}
There are a few limitations to the CookieStore:
??? In most cases, cookies are limited to 4 KB each. The CookieStore will raise a
CookieOverflow exception if the data and HMAC overflow this limit. This is not
an error you want to get in production (as it requires architectural changes to
remedy), so make sure your session data will be well below this limit.
??? The entire session and HMAC are calculated, transmitted, and verified on each
request and response. The CookieStore is smart enough not to retransmit the
cookie if it has not changed since the last request, but the client must transmit all
cookies on each request.
Pages:
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217