How secure is the flash hash?

How 开发者_如何学Csecure is the flash hash? Can a user easily see the values stored in it and inject his own values?

Rails will, by default, store the session in a cookie. The session state is kept in a Hash, which is Marshal.dump'd and Base64.encode64'd into a string to be sent to the browser in the Set-Cookie header. In addition, the session is cryptographically signed with your Rails.application.config.secret_token, which you can find in config/initializers/secret_token.rb.

Anyone can read the session state, including the flash Hash. But it would be impossible to forge it (unless the attacker had the key). However, there is no protection against replay attacks on the session state (where the attacker uses a session cookie he has seen before and that contains the value he wants to send to the server now).

If the replay attack is problem, or if the ability of users to read the session state is a problem, you should use the AR session store or, possibly a better idea, use a Redis session store. Redis is a fast key-value store whose specific use-case vs. other key-value stores includes storing session state.

The FlashHash is saved and loaded in session["flash"] (github). So it's security depends directly on the session store setup. The cookie-based session store is the Rails default.

• In Rails 4, depending on your config/secrets.yml the fallowing will apply:
  • If you only have secret_token set, your cookies will be signed, but not encrypted.
  • If you have secret_key_base set, your cookies will be encrypted.

Even if you have an encrypted cookie and a AR Session Store, or a Redis Session Store, you will always end up saving a session_id into the client's cookie, which can be copied by an attacker. Setting up a secure cookie under a https:// website will make it safer.

Rails uses encoded session, so i would be inclined to say no. Use Firebug, make requests to Rails app and have a look at the cookies :)