Hacker News new | ask | show | jobs
by dgoodlad 4990 days ago
That's how _some_ session tracking works. See Rails' CookieStore strategy for session storage for example: http://guides.rubyonrails.org/security.html#session-storage

> Rails 2 introduced a new default session storage, CookieStore. CookieStore saves the session hash directly in a cookie on the client-side. The server retrieves the session hash from the cookie and eliminates the need for a session id. That will greatly increase the speed of the application, but it is a controversial storage option and you have to think about the security implications of it:
1 comments
chris_wot 4990 days ago
That's not how secure session management works.
link
cheald 4990 days ago
It's plenty secure in the sense that you can't forge a session. It's not secure in the sense that the data is inaccessible if you know how to base64 decode a cookie.

If you're using cookie sessions, you should know better than to store sensitive information in the session.

link
chris_wot 4989 days ago
In other words, because they are holding sensitive information in their cookies encoded only via base64 it's not secure. In other words, what I said.
link