Cookie Sessions in Merb?

Ezra Zygmuntowicz ez at
Fri Aug 17 13:38:43 EDT 2007

Yeah I'd be interested in a cookie store. But th security concerns are  
valid so we would need to investigate thouroughly


Sent from my iPhone

On Aug 17, 2007, at 10:08 AM, "ry dahl" <ry at> wrote:

> I like the cookie sessions that Rails edge has - they make sense,
> they're fast, easy.
> For those that don't know: the default session mechanism is to give
> developers a Hash called session. To store this object between
> requests it Marshals the session object and sends the object itself
> (now as a bitstream) back to clients to store in their cookie file. To
> prevent users from tampering with this data, a cryptographic digest
> (using HMAC with SHA-1) is sent along with the bitstream).
> The major problem with this scheme is that the Marshalled data is not
> at all encrypted! Users are free to unmarshal and examine what
> websites are storing in their sessions. They cannot change the data,
> but nevertheless this is a security problem!
> The answers given by the rails developers sound rather naïve:
>> This is getting into very difficult crypto. Basically, depending on  
>> the cipher, there
>> may be cases where you can change one part of the text without  
>> changing the other.
> Not that I know much about cryptography, but I'm almost certain that
> modifying AES encrypted Marshaled data is quite tamper proof. If not,
> one could at least send a digest along with it.
> There has been some mention of the extra AES operation slowing down
> speed (but it's been said it's not much of a slowdown), I think having
> secure cookies would be well worth the cost.
> Is there interest in this type of session for Merb?
> Related: I've just wrote a CookieJar class - perhaps it would be
> useful for Merb?
> ry
> _______________________________________________
> Merb-devel mailing list
> Merb-devel at

More information about the Merb-devel mailing list