According to this question , session can be edited by user. But this answer

Question

0

Editorial Team

Asked: June 15, 20262026-06-15T18:48:55+00:00 2026-06-15T18:48:55+00:00

According to this question , session can be edited by user. But this answer

0

According to this question, session can be edited by user. But this answer suggests it’s safe to store user id.

From Rails document

A message digest is included with the cookie to ensure data integrity: a user cannot alter his user_id without knowing the secret key included in the hash

With <%= debug(session) %> embedded in my page and the session value in Chrome’s Developer tools, I can’t find the message digest in the session cookie. If I login as user A and then login as user B, the session cookie remains the same excecpt user_id value.

So where is the message digest or do I need some configuration? The auto-generated secret_token exists in config/initializers/secret_token.rb. Is it stored in the server’s memory and hash the session value on every request?

Report

Leave an answer
Cancel reply

You must login to add an answer.

Need An Account,

1 Answer

Editorial Team · Answer 1 · 2026-06-15T18:48:56+00:00

Editorial Team

2026-06-15T18:48:56+00:00Added an answer on June 15, 2026 at 6:48 pm

The message digest is part of the cookie value. It’s not part of the data you get in the session.

You can see it if you inspect the raw cookie value in chrome – the digest is separated from the payload by a ‘–‘

0

Reply
Share
Share

- Report

Sign Up

Sign In

Forgot Password

The Archive Base Latest Questions

According to this question , session can be edited by user. But this answer

Leave an answerCancel reply

1 Answer

Leave an answer
Cancel reply