Encrypted session cookies for Rack (and therefore Sinatra)

The encrypted_cookie gem provides 256-bit-AES-encrypted, tamper-proof cookies for Rack through the class Rack::Session::EncryptedCookie.

How to use encrypted_cookie

$ gem install encrypted_cookie

Sinatra example:

require 'sinatra'
require 'encrypted_cookie'

use Rack::Session::EncryptedCookie,
  :secret => TYPE_YOUR_LONG_RANDOM_STRING_HERE*

get '/' do
  session[:foo] = 'bar'
  "session: " + session.inspect
end

* Your :secret must be at least 32 bytes long and should be really random. Don't use a password or passphrase, generate something random (see below).

Encryption and integrity protection

The cookie is encrypted with 256-bit AES in CBC mode (with random IV). The encrypted cookie is then signed with a HMAC, to prevent tampering and chosen ciphertext attacks. Any attempt at tampering with the cookie will reset the user to {} (empty hash).

Generating a good secret

Run this in a terminal and paste the output into your script:

$ ruby -rsecurerandom -e "puts SecureRandom.hex(32)"

Developing

To get the specs running:

$ cd path-to-clone
$ gem install bundler # if not already installed
$ bundle install
$ bundle exec rspec

Thanks

• @namelessjon - Jon - For the massive crypto improvements!
• @mkristian - Christian Meier
• @danp - Dan Peterson
• @stmllr - Steffen Müller
• @andrhamm - Andrew Hammond