-
Notifications
You must be signed in to change notification settings - Fork 14
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Use alternative serializer #6
Comments
personally I store a Hash with primitive in my session. so a json or (safe_)yaml would just do fine. via some config/options or so !! |
*several months elapse* One snag in implementing this easily is the expiry time which was added. With e.g. Options
|
Since the project seems no longer under maintained, I built another one: It's built on top of use Rack::Session::EncryptedCookie, secret: 'tonytonyjan', coder: Rack::Session::Cookie::Base64::JSON.new There are 3 built -in serializers (coders) so far: puts Rack::Session::Cookie::Base64.constants
# => [:Marshal, :JSON, :ZipJSON] |
a la https://gist.github.com/mattetti/7624413
tl;dr:
encrypted_cookie
currently serializes via marshall. This means that anyone who discovers the session secret probably has remote code execution on the application. Which is pretty bad, obviously.The text was updated successfully, but these errors were encountered: