Signed and encrypted Rails cookies for tamper resistant state

13291 views

                  cookies.encrypted[:trusted_device] = {
  value: { user_id: current_user.id, fingerprint: device_fingerprint }.to_json,
  expires: 30.days.from_now,
  httponly: true,
  secure: Rails.env.production?,
  same_site: :strict,
}

Client-side cookies should be treated as attacker-controlled even when the framework signs them. I use encrypted cookies for sensitive state, keep payloads minimal, and avoid long-lived authorization decisions inside the browser. The convenience of cookie-backed state should not blur trust boundaries.

Kai Nakamura

More from Kai Nakamura

Signed and encrypted Rails cookies for tamper resistant state

0 Comments

More from Kai Nakamura