Update the Rails security guide #25035
Conversation
Bring up-to-date the information about the session id in the Sessions section. The guide currently says that the session id is a md5 hash while the implementation uses a random hex string. Fixes rails#25032. [ci skip]
|
Thanks for the pull request, and welcome! The Rails team is excited to review your changes, and you should hear from @matthewd (or someone else) soon. If any changes to this PR are deemed necessary, please add them as extra commits. This ensures that the reviewer can see what has changed since they last reviewed the code. Due to the way GitHub handles out-of-date commits, this should also make it reasonably obvious what issues have or haven't been addressed. Large or tricky changes may require several passes of review and changes. Please see the contribution instructions for more information. |
| @@ -50,9 +50,9 @@ User.find(session[:user_id]) | |||
|
|
|||
| ### Session id | |||
|
|
|||
| NOTE: _The session id is a 32 byte long MD5 hash value._ | |||
| NOTE: _The session id is a 32-character random hex string._ | |||
There was a problem hiding this comment.
Don't believe this is 32, can you check and confirm?
There was a problem hiding this comment.
The code:
def generate_sid
sid = SecureRandom.hex(16)
sid.encode!(Encoding::UTF_8)
sid
end
The line SecureRandom.hex(16) generates 32-character string as per documentation:
The argument n specifies the length, in bytes, of the random number to be generated. The length of the resulting hexadecimal string is twice n.
|
Thanks @ralinchimev ! |
|
Thank you @vipulnsward |
Bring up-to-date the information about the session id in the
Sessions section. The guide currently says that the session
id is a md5 hash while the implementation uses a random hex
string.
Fixes #25032.
[ci skip]