On Encrypted Cookies
June 16, 2011 § 2 Comments
I love cookies. Well, despite obviously loving the cookies of the baked goods variety, I also love Rails 3 cookies. I know it’s weird, but if you are looking for things that aren’t weird, you probably are in the wrong place. The specific thing I really like about the Rails 3 cookie system is that it is chainable. So cool.
They are three types of built-in cookies. Your basic everyday cookie, a permanent cookie and a signed cookie. The basic cookie just saves something to a cookie in the user’s browser. You can add an expiration date if you’d like. The permanent cookie sets the expiration date 20 years from now and the signed cookie cryptographically signs the contents of the cookie so that people can’t tamper with it. The way you interact with them is slick.
cookies[:things] = "stuff" # assign cookies[:things] # read cookies.permanent[:perm] = "Never going away" # write to a permanent cookie cookies[:perm] # read a permanent cookie cookies.signed[:tamper_proof] = "fragile info" # write to a signed cookie cookies.signed[:tamper_proof] # read a signed cookie cookies.permanent.signed[:perm_tamper_proof] = # write to a permanent signed cookie cookies.signed[:perm_tamper_proof] # read the permanent signed cookie
Now it is best practice to not put highly sensitive information in cookies. There is just no telling what is going on with a user’s browser and their computer. But there are times where you might have some pseudo-sensitive info that you want to store in a cookie. Not things like social security number, but maybe some app info that you would rather people not see, but it wouldn’t be the end of the world if they did.
Enter encrypted-cookies.
encrytped-cookies is a ruby gem that provides access to encrypted cookies for Rails 3 apps. It’s built to work exactly like signed cookies, so there isn’t really anything else to say about the usage except to show the two line example:
cookies.encrypted[:secret_cookie] = "nothing to see here" # write to a signed cookie cookies.encrypted[:secret_cookie] # read a signed cookie
Piece of cake.
I should probably mention how I do the encryption, since that is something you are probably curious about. The great thing about is that I don’t do the encryption! ActiveSupport has this nifty little module called ActiveSupport::MessageEncryptor. It does exactly what you think it does. It encrypts and decrypts messages. I didn’t want to take a chance writing the encryption code myself. Waaaaay to many places to make a mistake and really screw over someone using this gem. The signed cookies in Rails 3 use ActiveSupport::MessageVerifier to make sure the cookie payload hasn’t been messed with. In reality, encrypted-cookies does little more than swap out verifier code with the encryptor code. But simple code has fewer places for bugs to pop up.
Happy encrypting.
The On Blog 
[…] I had finished up with the encrypted-cookie gem, it seemed like a natural extension to convert it into a Rails 3 session store. It operates […]
[…] are somethings that you should leave to the experts. Encryption is one of them. When I wrote my encrypted cookies and encrypted cookie sessions gems, one of the the things I didn’t want to do was write any […]