Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Signed cookies would be more secure if the signature included the cookie name #17136

Closed
emma-borhanian opened this issue Oct 1, 2014 · 4 comments

Comments

@emma-borhanian
Copy link

@emma-borhanian emma-borhanian commented Oct 1, 2014

The SignedCookieJar only signs the content of the cookie, not the name.

This means that if I have the signed cookies locale and user_id, someone can copy the value of the cookie locale and put it in user_id and the server will accept it.

action_dispatch/middleware/cookies.rb:457

@emma-borhanian

This comment has been minimized.

Copy link
Author

@emma-borhanian emma-borhanian commented Oct 2, 2014

I'm willing to write a pull request for this if there is any interest?

@gchan

This comment has been minimized.

Copy link
Contributor

@gchan gchan commented Dec 5, 2014

This seems like a good idea. Would you update the serializer to include the name?

@sgrif

This comment has been minimized.

Copy link
Contributor

@sgrif sgrif commented Dec 5, 2014

We don't accept feature requests on the issues tracker. Feel free to open a PR. If you'd like to determine if there is interest in a feature before working on it, please open a thread on the rails-core mailing list.

@sgrif sgrif closed this Dec 5, 2014
@9mm

This comment has been minimized.

Copy link

@9mm 9mm commented Mar 7, 2018

Was this ever fixed?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
4 participants
You can’t perform that action at this time.