Posted about 3 years ago. Visible to the public.

Cookies and Rails Sessions


  • What is a Cookie? Google it if you do not know.
  • How are cookies transferred between your browser and the server?
    • Open the development tools in your browser for this page. Can you find the cookies your browser stores for makandracards?
    • In the network tab, can you see how the cookies are transferred to or from the server?
    • Can you log yourself out by manipulating a cookie? Can you log yourself back in?
  • Understand what domains mean to cookies
    • Can cookies be shared between domains?
    • Between subdomains?
    • How does a tool like Google Analytics work?
  • How do cookies expire? What are "session" cookies?
  • What does a cookie's "secure" flag do? How does it relate to HSTS?
  • Read the README of our safe_cookies gem
    • Do you understand what it does?
  • Look at Rails' API for managing cookies
    • How do you set and delete cookies?
    • What are signed cookies and how do they work?
    • What are encrypted cookies and how do they work?
  • Learn about Rails sessions

Exercise: Star movies

  • In your MovieDB, implement a feature to star / unstar your favorite movies.
  • Implement this with cookies or sessions without writing anything to the database.
  • Try two separate ways of implementing this:
    • Make an AJAX call and have the server set the cookies
    • Set cookies directly on the client
  • Is this a good way to implement the star feature?

Exercise: Try and understand Github's issues with cookie tossing attacks

Read this blog post.

Try to understand the different attacks, how Github mitigated them, and why they moved GitHub Pages to the domain.

Owner of this card:

Tobias Kraze
Last edit:
6 months ago
by Florian Leinsinger
Posted by Tobias Kraze to makandra Curriculum
This website uses cookies to improve usability and analyze traffic.
Accept or learn more