[jcampbell1]

They should be secure random strings, no need to sign.

BTW, rails signed session cookies are terrible from a security perspective. Thank god Github has moved away from them.

[geweke]

What, in particular, is problematic about them? Do you mean their particular implementation, the fact that they aren't also encrypted, or the general "password equivalent in a cookie" concept overall?

[jcampbell1]

Yeah, the one ring to rule them all problem. One bad employee, or one of the many rails zero-day issues, potentially compromises the site indefinitely for all eternity.