In rails it will generate a session_id if properly set up session configuraions, then after rendering the web page the seesion_id will store on client with cookie; however if the cookie value is changed by client before sending request to web server, how rails to check the change? Now i can not find any clues for rails to check the change, if it doesn’t to check and the changed seesion_id is existed in web server session store, other session’s data will be dispalyed for the current browser user.
If someone is clear on the question can you explain it for me? thank you in advance.
The cookie is cryptographically signed. See:
https://github.com/rails/rails/blob/master/actionpack/lib/action_dispatch/middleware/cookies.rb
Note that signing the cookie doesn’t mean the same thing as encrypting it. The user can see the contents of their session with a bit of fiddling but can’t alter it without breaking the signature.
If you want to hide the contents of your sessions from your user, don’t use the cookie store.