which can be used to prevent users from tampering with a cookie’s value.
Before Rails 6, the methods described above only signed the content of the cookie and not the name.
This created a security vulnerability where signed data could potentially be copied from one cookie to another.
This issue presented a case where it is possible to copy the value of a cookie and use it for another.
After Rails 6
Rails 6 adds
purpose metadata to cookies.
A cookie’s name is used to set this metadata, which is then embedded in the cookie.
This prevents users from using one cookie’s value for another.
In the example above, the data before
-- is the
Base64 encoded value with
expiry metadata embedded.
Cookies previously set without this metadata will continue to be honored.
We can opt out of this feature with the following config:
The above config is
true by default.