Announcing encrypted_cookie_store plugin

January 23rd, 2008

Posted by abedra on January 23rd, 2008
I have pulled out the encrypted cookie store into a plugin that is now available for download. You can download the plugin at 

https://opensource.thinkrelevance.com/svn/incubator/encrypted_cookie_store
Feel free to give it a shot. Let me know if you run into any unexpected behavior. I would like to know it's performance impact on your applications.

7 Responses Follows

  1. Glenn says
    on January 23rd, 2008 at 09:38 PM Hi, I have the code from you original blog post on the topic in an app I am building and I like the idea of using it as a plugin. I see in the plugin version you seem to have hardcoded two values for the cipher.key and cipher.iv values. This is dangerous in my opinion since everyone who installs the plugin will end up with the same encryption keys (making decrypting only slightly harder than the default base64 behavior). How do you suggest the best way to get these two values out of the plugin and into a config file? What about adding a rake task that generates (or replaces if run again) those keys for the user and inserts them into environment config files? Also, a suggestion would be to DRY this up a tiny bit by getting rid of the duplication of those two keys. Should be constants. No? You could probably even take it a step further and collapse the encrypt and decrypt functions into one, and add a parameter that would determine which direction it is operating in? Thanks, I look forward to seeing how this progresses and how it impacts performance.
  2. Glenn Rempe says
    on January 23rd, 2008 at 10:49 PM ok. putting my money where my mouth is. :-) Here is a link to a patch that: - refactors the crypt methods to DRY them up. - unsets the cipher keys by default, user must set them as constants in environment.rb. plugin won't function until they do. This eliminates the common key problem. - added some simple help text in the README. Patch is here: http://pastie.caboo.se/142663 Cheers, Glenn
  3. Aaron Bedra says
    on January 24th, 2008 at 04:35 AM Doh! Thanks for catching that. I meant to do something about that before I put it out. That's what I get for doing it late at night. I will patch it today and put it back out there. Thanks!
  4. Aaron Bedra says
    on January 24th, 2008 at 05:19 AM Glenn for future reference, we have a trac for all of the relevance opensource projects so you can submit tickets and patches. It's over at http://opensource.thinkrelevance.com. Thanks again.
  5. Aaron Bedra says
    on January 25th, 2008 at 06:53 AM Glenn, Thanks for the ideas. I had a little different idea of implementation, so I ran with it, but I did fix all of the things you described.
  6. Robert J. Berger says
    on January 28th, 2008 at 08:40 PM Is this just for Rails 2.x? Or will it work with 1.2.x?
  7. Aaron Bedra says
    on January 29th, 2008 at 03:17 PM Robert, I have not tested it for rails 1.x. I was inspired to write this because of the change that Rails 2.0 made regarding the default cookie store. I simply wanted to provide a safety net type of plugin that people could grab if they wanted to.

Sorry, comments are closed for this article.