I’ve been taking a glance at Rails 2.0 new session storage. Hongli points out in his blog that cookies are not stored anymore as files in Rails 2.0. This makes the design more RESTful, as long as no state is kept in the server side.

Instead, all the session data is supplied by the client in the cookie. How? The session data is validated with a checksum that is generated using an application password.

This implies that session data is public, though it can’t be changed as long as the application password is kept secret.

We are subject to brute force attacks and session replay attacks. There’s currently a flaw that makes brute force attacks easy, although it should be fixed soon.

Also, I have to point out that before I read his post I ignored that all cookie-based session stores were subject to session replay attacks, and the only solution is communication encryption through, e.g., SSL.