ruby
7 lines · 1 tab
Kai Nakamura
Apr 2026
1 tab
cookies.encrypted[:trusted_device] = {
value: { user_id: current_user.id, fingerprint: device_fingerprint }.to_json,
expires: 30.days.from_now,
httponly: true,
secure: Rails.env.production?,
same_site: :strict,
}
1 file · ruby
Explain with highlit
Client-side cookies should be treated as attacker-controlled even when the framework signs them. I use encrypted cookies for sensitive state, keep payloads minimal, and avoid long-lived authorization decisions inside the browser. The convenience of cookie-backed state should not blur trust boundaries.
Share this code
Here's the card — post it anywhere.