Is it secure to use redis-rails as session store? -


when used session store, noticed redis-rails saves session id in unencrypted format in cookie. shouldn't session id treated secure information , not exposed in cookie unencrypted thwart session-hijacking attempts?

no.

the session identifier cookie (decent) way link client session. client must have sort of claim can pass along request can identify them.

this applies whether using cookiestore, redis, activerecord or memcached.

encrypting session identifier fixed salt or no salt absolutely nothing waste time since attacker has access cookie anyways in man-in-the-middle or xss attack.

if used salt have link user well. have 2 problems instead of one.

while use bunch of novel approaches salting user agent, ip or else think know client security benefits few.

as @pvg said:

session id's merely have random, unpredictable , sufficiently large.

meaningful ways protect session are:

  • use https thwart man-in-the-middle attacks.
  • call reset_session when logging users in , out avoid session fixation.
  • sanitize user input avoid xss.

Comments