Should I be concerned if I am using the default cookie-based session storage for a high security application? Nothing sensitive will be stored on the cookie, but it's critical that one user cannot gain access to another user's account. The security risks I see with cookie-based storage are:
1. There is a single point of failure. If the secret key is stolen (for example, by a rogue developer), the person in possession of the key can log into any account he wishes. 2. It's not been as widely used as database-backed session, and therefore not as tested. 3. The cryptographic algorithm could be compromised, which is always a possibility (however unlikely.) What do you think? Eric --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---
