What is the difference between signed and encrypted cookies in Rails? What is the difference between signed and encrypted cookies in Rails? ruby-on-rails ruby-on-rails

What is the difference between signed and encrypted cookies in Rails?


ruby-on-rails cookies session-cookies

It's subtle, but the answer is in the documentation you provided. Signed cookies only guard against tampering, while encrypted cookies guard against reading and tampering.

More specifically, signed cookies call ActiveSupport::MessageVerifier to append a digest (generated using secret_key_base) to the cookie. If the value of the cookie is modified, the digest will no longer match, and without knowing the value of secret_key_base, the cookie cannot be signed. The value of the cookie is merely base64 encoded, however, and can be read by anyone.

Encrypted cookies called ActiveSupport::MessageEncryptor to actually encrypt the value of the cookie before generating the digest. Similar to signed cookies, if the value of cookie is modified the digest will no longer match, but additionally the value of the cookie cannot be decrypted without the secret_key_base.

As to when you'd use encrypted versus signed cookies, it comes down to the sensitivity of the information you're storing in the cookie. If all you want to protect against is someone modifying the cookie, then sign it - but if you also need to keep the data secret, encrypt it.

ruby-on-rails cookies session-cookies

Signed Cookies

Properties: Can be read by the client, server prevents tampering of the value.

Usage: read-only value for frontend (makes little sense with HttpOnly)

Typically just like an encrypted cookie, but because of design shortcomings, the client (browser) also need to access its value.

I can't think of a proper example... perhaps storing user data without a server-side storage, while guaranteeing its validity? (not very efficient though)

Encrypted cookies

Properties: A secret the client get, cannot read/write and will be returned to the server.

Usage: overcome stateless part of http, e.g. sessions (makes little sense without HttpOnly)

Summary

I'd say using signed cookies is always a poor architectural decision. But under extreme constrains (no server-side storage, no javascript in the browser) could be the only solution left.

Recent Posts
How can I color dots in a xy scatterplot according to column value?
How to update a claim in ASP.NET Identity?
What does {0} mean when initializing an object?
Accessing members of items in a JSONArray with Java
How to log SQL statements in Spring Boot?
Powershell Get-WebSite name parameter is ignored
How to detect scroll to bottom of html element
Java synchronized method
How to test controllers with CodeIgniter?
Detect Visual Composer
Matplotlib: Specify format of floats for tick labels
Rails join a list of strings with commas and "and" before the last