Authentication from scratch - How safe are the cookies from being tampered with?

Question

Am attempting to do authentication from scratch, using Omniauth.

I followed Ryan Bate's screencast. But before I roll out an implementation, I'd like to understand a few things.

In his screencast, he has a helper_method in the application_controller:

helper_method :current_user

private

def current_user
  @current_user ||= User.find(session[:user_id]) if session[:user_id]
end

Code above, checks for user_id.

I know sessions are encrypted (and stored in cookies). However, they are readable, but cannot be modified. How hard would it be for someone to hijack a session with a fake user_id? What's stopping anyone from creating a cookie from scratch or via some "cookie injector" method (if such a thing exists).

Am trying to understand how these cookies are protected.

Answer 1

Sessions are generally kept server-side, and the only thing passed to/from the client via cookies is the session identifier. Storing actual session data in that cookie would be a major security hole, regardless of how well it's encrypted. e.g. if you were cheap and used rot-13 "encryption", it'd be trivial for a user to do fiddle the data and set superuser=1.

But with the session ID, that's impossible - there's nothing in the cookie that could be used to fiddle with the server-side data. At best they could send back random session ID values, and try to hijack someone else's session. With a sufficiently large ID hash, the chances of finding another session to hijack are vanishingly small.