top | item 4656908

(no title)

dgoodlad | 13 years ago

That's how _some_ session tracking works. See Rails' CookieStore strategy for session storage for example: http://guides.rubyonrails.org/security.html#session-storage

> Rails 2 introduced a new default session storage, CookieStore. CookieStore saves the session hash directly in a cookie on the client-side. The server retrieves the session hash from the cookie and eliminates the need for a session id. That will greatly increase the speed of the application, but it is a controversial storage option and you have to think about the security implications of it:

discuss

chris_wot|13 years ago

That's not how secure session management works.

cheald|13 years ago

It's plenty secure in the sense that you can't forge a session. It's not secure in the sense that the data is inaccessible if you know how to base64 decode a cookie.

If you're using cookie sessions, you should know better than to store sensitive information in the session.