使用Rails存储加密的cookie [英] Storing an encrypted cookie with Rails
问题描述
我需要在Rails的一个cookie中存储一小段数据(少于10个字符),我需要它的安全。我不希望任何人能够读取这些数据或注入自己的数据(因为这会打开应用程序进行多种攻击)。我认为加密cookie的内容是要走的路(应该还签)吗?什么是最好的方法?
现在我正在做这个,看起来很安全,但是对于那些比我更了解的知识更多的人来说,许多事情看起来很安全安全,然后发现它不是真的安全。
我以这种方式保存秘密:
pre>
encryptor = ActiveSupport :: MessageEncryptor.new(Example :: Application.config.secret_token)
cookies [:secret] = {
:value => encryptor.encrypt(secret),
:domain => example.com,
:secure => !(Rails.env.test?|| Rails.env.development?)
}
然后我正在读它:
encryptor = ActiveSupport :: MessageEncryptor.new(Example :: Application.config .secret_token)
secret = encryptor.decrypt(cookies [:secret])
安全?任何更好的方法?
更新:我知道Rails的会话及其安全性,无论是通过签名cookie和可选地存储会话服务器端的内容,并且我使用该会话来进行该操作。但是我的问题是关于存储一个cookie,一段信息我不想在会话中,但是我仍然需要它来安全。
我正在重新发布雅各布的答案,他删除了,因为这是正确的答案并指出我正确的方向。如果他取消删除它,我会删除这个,并选择他的最佳答案。
首先,如果你使用
encrypt_and_verify而不是encrypt它将
为您签名。
然而,当涉及到安全性时,我总是宁愿依靠在公共场合进行审查的
解决方案,而不是滚动我自己的。
一个例子是加密Cookie宝石。
I need to store a small piece of data (less than 10 characters) in a cookie in Rails and I need it to be secure. I don't want anybody being able to read that piece of data or injecting their own piece of data (as that would open up the app to many kinds of attacks). I think encrypting the contents of the cookie is the way to go (should I also sign it?). What is the best way to do it?
Right now I'm doing this, which looks secure, but many things looked secure to people that knew much more than I about security and then it was discovered it wasn't really secure.
I'm saving the secret in this way:
encryptor = ActiveSupport::MessageEncryptor.new(Example::Application.config.secret_token)
cookies[:secret] = {
:value => encryptor.encrypt(secret),
:domain => "example.com",
:secure => !(Rails.env.test? || Rails.env.development?)
}
and then I'm reading it like this:
encryptor = ActiveSupport::MessageEncryptor.new(Example::Application.config.secret_token)
secret = encryptor.decrypt(cookies[:secret])
Is that secure? Any better ways of doing it?
Update: I know about Rails' session and how it is secure, both by signing the cookie and by optionally storing the contents of the session server side and I do use the session for what it is for. But my question here is about storing a cookie, a piece of information I do not want in the session but I still need it to be secure.
I'm re-posting JacobM's answer, that he deleted, because it was the correct answer and pointed me in the right direction. If he undeletes it, I'll delete this one and pick his as the best answer.
First of all, if you use
encrypt_and_verifyinstead ofencryptit will sign the cookie for you.However, when it comes to security, I always prefer to rely on solutions that have been vetted in public, rather than rolling my own. An example would be the encrypted-cookies gem.
这篇关于使用Rails存储加密的cookie的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
