Use alternative serializer

[namelessjon]

a la https://gist.github.com/mattetti/7624413

tl;dr: encrypted_cookie currently serializes via marshall. This means that anyone who discovers the session secret probably has remote code execution on the application. Which is pretty bad, obviously.

[mkristian]

personally I store a Hash with primitive in my session. so a json or (safe_)yaml would just do fine. via some config/options or so !!

[namelessjon]

*several months elapse*

One snag in implementing this easily is the expiry time which was added. With e.g. JSON.dump, this is serialised to something like "2014-08-15 14:46:26 UTC" and then on JSON.load it is returned as a string, which can't be compared with the Time.

Options

1. Add a check in the expiry code to Time.parse if given a string.
2. Write some new JSON and/or YAML based serialiser which converts everything to primitives.
3. Something else?

[tonytonyjan]

Since the project seems no longer under maintained, I built another one:
https://github.com/tonytonyjan/rack_encrypted_cookie

It's built on top of Rack::Session::Cookie, so you can customize the :coder as well, for example:

use Rack::Session::EncryptedCookie, secret: 'tonytonyjan', coder: Rack::Session::Cookie::Base64::JSON.new

There are 3 built -in serializers (coders) so far:

puts Rack::Session::Cookie::Base64.constants
# => [:Marshal, :JSON, :ZipJSON]