There will be breaking changes from v0.3 -> v1.0. Usage won’t change, but any cookies written with v0.3 will not be able to be read by v1.0. This is a security update and it is strongly encouraged that you update your projects accordingly.
ActiveSupport::MessageEncryptor offers two encryption functions, encrypt and encrypt_and_verify. While I intended to use encrypt_and_verify when I released the gem, I accidently left the call to encrypt in the code. Life isn’t all bad, though. Your cookie written with v0.3 are still strongly encrypted, and only the holder of the secret (i.e., you) will be able to decrypt them. The problem arises from the fact that there is no verification on the encrypted payload. If someone tampers with the encrypted payload, you won’t know it. Well, you will know it becuase the decrypted tampered payload will be gibberish, but that might be hard to recognize under some circumstances. Using encrypt_and_verify will sign the encrypted payload so that if it is tampered with you will know it right away.
ActiveSupport is actually deprecating encrypt and decrypt in v3.2 becuase of this very issue.
TL;DR; You data is secure with v0.3, but it is harder to tell if someone is trying to tamper with it.
Please feel free to contact me with any questions or concerns.
Encrypted cookie jar for Rails 3.
There are times when one must store things in a cookie that are not necessarily meant for anyone’s eyes. It is probably not the best practice to do so, but when one must, it’s better to do so with at least a minimal bit of security. encrypted-cookies
will encrypt and sign the contents of the cookie before writing it back to the browser and then decrypt and verify the data on each subsequent request.
EncryptedCookieJar is very much like the SignedCookieJar. The difference is it uses ActiveSupport::MessageEncryptor instead of ActiveSupport::MessageVerifier to generate the value set on the cookie. Fairly straight forward.
Write an encrypted cookie:
cookies.encrypted[:encrypted_cookie] = "You don't know what this says."
Read the encrypted cookie:
cookies.encrypted[:encrypted_cookie] # => You don't know what this says.
You can chain the encrypted cookie jar:
cookies.permanent.encrypted[:permanent_encrypted_cookie] = "You don't know what this says, and it will be here for 20 years..." cookies.encrypted[:permanent_encrypted_cookie] # => "You don't know what this says, and it will be here for 20 years..."
Encrypted cookies works with Rails 3.0.0, but because of a requirement bug in ActionPack 3.0.4, the tests only run with version 3.0.5.
For more information: rails.lighthouseapp.com/projects/8994/tickets/6393-action_dispatchhttprequestrb-missing-a-require
This is provided as is. No guarantee is given for the security of the data written or read by this software. This has not been tested for cryptographic rigor. Use at your own discretion and risk. This should not be only level of security you use for your data. It uses ActiveSupport::MessageEncryptor to encrypt and ActiveSupport::MessageVerifier to sign the cookie values, so it is at best as secure as these two libraries. Be sure to keep your AppName::Application.config.secret_token safe and secret, as both of the above libraries use it in your Rails application.
Copyright © 2011 Les Fletcher
Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the “Software”), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED “AS IS”, WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.