Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/cvonkleist/encrypted_cookie

AES-128 encrypted session cookies for Rack (and Sinatra and other frameworks).
https://github.com/cvonkleist/encrypted_cookie

gems rack ruby sinatra

Last synced: 3 months ago
JSON representation

AES-128 encrypted session cookies for Rack (and Sinatra and other frameworks).

Host: GitHub
URL: https://github.com/cvonkleist/encrypted_cookie
Owner: cvonkleist
License: mit
Created: 2011-03-01T19:42:40.000Z (almost 14 years ago)
Default Branch: master
Last Pushed: 2020-03-17T12:26:38.000Z (almost 5 years ago)
Last Synced: 2024-10-03T07:45:18.099Z (4 months ago)
Topics: gems, rack, ruby, sinatra
Language: Ruby
Homepage:
Size: 57.6 KB
Stars: 53
Watchers: 8
Forks: 14
Open Issues: 5
Metadata Files:
- Readme: README.markdown
- License: LICENSE

Awesome Lists containing this project

README

## Encrypted session cookies for Rack (and therefore Sinatra)

![Ruby](https://github.com/cvonkleist/encrypted_cookie/workflows/Ruby/badge.svg)

The `encrypted_cookie` gem provides 256-bit-AES-encrypted, tamper-proof cookies
for Rack through the class `Rack::Session::EncryptedCookie`.

## How to use encrypted\_cookie

$ gem install encrypted_cookie

Sinatra example:

require 'sinatra'
require 'encrypted_cookie'

use Rack::Session::EncryptedCookie,
:secret => TYPE_YOUR_LONG_RANDOM_STRING_HERE*

get '/' do
session[:foo] = 'bar'
"session: " + session.inspect
end

_*_ Your `:secret` must be at least 32 bytes long and should be really random.
Don't use a password or passphrase, generate something random (see below).

## Encryption and integrity protection

The cookie is encrypted with 256-bit AES in CBC mode (with random IV). The
encrypted cookie is then signed with a HMAC, to prevent tampering and chosen
ciphertext attacks. Any attempt at tampering with the cookie will reset the
user to `{}` (empty hash).

## Generating a good secret

Run this in a terminal and paste the output into your script:

$ ruby -rsecurerandom -e "puts SecureRandom.hex(32)"

## Developing

To get the specs running:

```bash
$ cd path-to-clone
$ gem install bundler # if not already installed
$ bundle install
$ bundle exec rspec
```

# Thanks

- [@namelessjon](https://github.com/namelessjon) - Jon - For the massive crypto improvements!
- [@mkristian](https://github.com/mkristian) - Christian Meier
- [@danp](https://github.com/danp) - Dan Peterson
- [@stmllr](https://github.com/stmllr) - Steffen Müller
- [@andrhamm](https://github.com/andrhamm) - Andrew Hammond