ruby 7 lines · 1 tab

Signed and encrypted Rails cookies for tamper resistant state

Kai Nakamura Apr 2026
1 tab
cookies.encrypted[:trusted_device] = {
  value: { user_id: current_user.id, fingerprint: device_fingerprint }.to_json,
  expires: 30.days.from_now,
  httponly: true,
  secure: Rails.env.production?,
  same_site: :strict,
}
1 file · ruby Explain with highlit

Client-side cookies should be treated as attacker-controlled even when the framework signs them. I use encrypted cookies for sensitive state, keep payloads minimal, and avoid long-lived authorization decisions inside the browser. The convenience of cookie-backed state should not blur trust boundaries.

Share this code

Here's the card — post it anywhere.

Signed and encrypted Rails cookies for tamper resistant state — share card
Link copied