You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Encrypted session cookies for Rack (and therefore Sinatra)
The encrypted_cookie gem provides 256-bit-AES-encrypted, tamper-proof cookies
for Rack through the class Rack::Session::EncryptedCookie.
How to use encrypted_cookie
$ gem install encrypted_cookie
Sinatra example:
require 'sinatra'
require 'encrypted_cookie'
use Rack::Session::EncryptedCookie,
:secret => TYPE_YOUR_LONG_RANDOM_STRING_HERE*
get '/' do
session[:foo] = 'bar'
"session: " + session.inspect
end
* Your :secret must be at least 32 bytes long and should be really random.
Don't use a password or passphrase, generate something random (see below).
Encryption and integrity protection
The cookie is encrypted with 256-bit AES in CBC mode (with random IV). The
encrypted cookie is then signed with a HMAC, to prevent tampering and chosen
ciphertext attacks. Any attempt at tampering with the cookie will reset the
user to {} (empty hash).
Generating a good secret
Run this in a terminal and paste the output into your script:
