[PLejeck]

Sure, it's the default, but don't people realize never to trust clientside data? I don't know if CookieStore is signed or not, but I generally assume even if I sign the data it's not safe.

It's not that hard to just set up a Redis or whatever store to handle stuff like this, I never understood why people whouldn't bother.

[epochwolf]

Cookie store has always been signed and in rails 4 it's encrypted.

[willvarfar]

Very sloppy it wasn't encrypted from day 1 imo.

[rimantas]

Day 1 was eight years ago. Care to tell which popular web frameworks did that then?

[mgkimsal]

most popular web frameworks don't put data in the cookie, signed or not. yes it introduces different problems, but avoids this one.

[terabytest]

How would you do it with redis exactly?

[nl]

Same way ActionDispatch::Session::CacheStore does.

All session stores use a cookie to store a unique ID for each session...For most stores, this ID is used to look up the session data on the server, e.g. in a database table.

(obviously you'd substitute Redis for the database table mentioned above)