[jcampbell1]

This is a good technique to know. I feel like that cookie should be HTTP only though. It looks like nginx doesn't support that out of the box.

[geweke]

Really good point. Even better, I'd really like these cookies to be digitally signed (like Rails' session cookies are by default), so that they're unforgeable.

Seems like it wouldn't be too terribly hard to add to nginx...hmm... ;)

[jcampbell1]

They should be secure random strings, no need to sign.

BTW, rails signed session cookies are terrible from a security perspective. Thank god Github has moved away from them.

[geweke]

What, in particular, is problematic about them? Do you mean their particular implementation, the fact that they aren't also encrypted, or the general "password equivalent in a cookie" concept overall?

[jcampbell1]

Yeah, the one ring to rule them all problem. One bad employee, or one of the many rails zero-day issues, potentially compromises the site indefinitely for all eternity.