I am working on implementing token authentication in Rails 4, where the user session cookie value is encrypted. The encrypted cookie contains the user session identifier (standard Rails 4 sessions).
As part of the implementation of the token, was this considered a security risk if the session identifier was to be disclosed to the browser as an attribute of the token?
Session ID will not be used as part of the token authentication process. In fact, forget for a moment that this has something to do with token authentication.
Question: Is there a security risk when opening an unencrypted session identifier in a browser in a Rails 4 application?
My says no, this is not a risk, because the infamous user will not be able to maliciously build an encrypted session cookie value, tricking the server into thinking that it has a session ID that has been tampered with (at least without access to the application’s secret key).
Even if the hacker had to fake the session identifier, I’m not sure how this will help them, since the session identifier is completely random (as far as I know), and we use cookie-based storage, so changing the value will have little effect on the user.
I'm right?
source
share