I need to store a small piece of data (less than 10 characters) in a cookie in Rails and I need it to be secure. I don’t want anybody being able to read that piece of data or injecting their own piece of data (as that would open up the app to many kinds of attacks). I think encrypting the contents of the cookie is the way to go (should I also sign it?). What is the best way to do it?
Right now I’m doing this, which looks secure, but many things looked secure to people that knew much more than I about security and then it was discovered it wasn’t really secure.
I’m saving the secret in this way:
encryptor = ActiveSupport::MessageEncryptor.new(Example::Application.config.secret_token)
cookies[:secret] = {
:value => encryptor.encrypt(secret),
:domain => "example.com",
:secure => !(Rails.env.test? || Rails.env.development?)
}
and then I’m reading it like this:
encryptor = ActiveSupport::MessageEncryptor.new(Example::Application.config.secret_token)
secret = encryptor.decrypt(cookies[:secret])
Is that secure? Any better ways of doing it?
Update: I know about Rails’ session and how it is secure, both by signing the cookie and by optionally storing the contents of the session server side and I do use the session for what it is for. But my question here is about storing a cookie, a piece of information I do not want in the session but I still need it to be secure.
I’m re-posting JacobM‘s answer, that he deleted, because it was the correct answer and pointed me in the right direction. If he undeletes it, I’ll delete this one and pick his as the best answer.