A Deep Dive into Sessions

Transcript

1. @justinweiss #deep-sessions A Deep Dive into Sessions Justin Weiss

2. @justinweiss #deep-sessions

3. justinweiss.com

4. @justinweiss #deep-sessions A Deep Dive into Sessions Justin Weiss

5. None

6. @justinweiss #deep-sessions We need to know our users

7. None

8. @justinweiss #deep-sessions http: //catphotos.com/?breed=Persian& location=Seattle&user=justin

9. @justinweiss #deep-sessions http: //catphotos.com/?breed=Persian& location=Seattle&user=admin

10. @justinweiss #deep-sessions session[:current_user_id] = @user.id

11. @justinweiss #deep-sessions Thank you!

12. @justinweiss #deep-sessions session[:current_user_id] = @user.id

13. @justinweiss #deep-sessions Always?

14. None

15. @justinweiss #deep-sessions My Three Phases of Understanding 1. Do more

    of the thing that isn’t working
16. None

17. @justinweiss #deep-sessions My Three Phases of Understanding 1. Do more

    of the thing that isn’t working 2. Avoid the thing that isn’t working

18. @justinweiss #deep-sessions My Three Phases of Understanding 1. Do more

    of the thing that isn’t working 2. Avoid the thing that isn’t working 3. Learn the thing! (And use it correctly)

19. @justinweiss #deep-sessions Know about a user, securely, until they leave.

20. None

21. @justinweiss #deep-sessions http: //catphotos.com/?breed=Persian& location=Seattle&user=justin

22. @justinweiss #deep-sessions HTTP/1.1 200 OK Date: Wed, 08 Mar 2017

    22:57:05 GMT ... X-Params-Breed: Persian ...

23. @justinweiss #deep-sessions HTTP/1.1 200 OK Date: Wed, 08 Mar 2017

    22:57:05 GMT ... X-Params-Breed: Persian ...
24. None

25. @justinweiss #deep-sessions It’s managed by the browser, not the server

26. @justinweiss #deep-sessions What does a cookie look like?

27. @justinweiss #deep-sessions $ curl -I http: // www.google.com HTTP/1.1 200

    OK Date: Wed, 08 Mar 2017 22:57:05 GMT Expires: -1 Cache-Control: private, max-age=0 Content-Type: text/html; charset=ISO-8859-1 Server: gws X-XSS-Protection: 1; mode=block X-Frame-Options: SAMEORIGIN Set-Cookie: NID=98=T ... Transfer-Encoding: chunked Accept-Ranges: none

28. @justinweiss #deep-sessions $ curl -I http: // www.google.com HTTP/1.1 200

    OK Date: Wed, 08 Mar 2017 22:57:05 GMT Expires: -1 Cache-Control: private, max-age=0 Content-Type: text/html; charset=ISO-8859-1 Server: gws X-XSS-Protection: 1; mode=block X-Frame-Options: SAMEORIGIN Set-Cookie: NID=98=T ... Transfer-Encoding: chunked Accept-Ranges: none

29. @justinweiss #deep-sessions GET / HTTP/1.1 User-Agent: curl/7.37.1 Host: www.google.com ...

    Cookie: NID=98=T ...

30. @justinweiss #deep-sessions < HTTP/1.1 200 OK < … < Set-Cookie:

    NID=98=T ... > GET / HTTP/1.1 > Host: www.google.com > ... > Cookie: NID=98=T ...

31. @justinweiss #deep-sessions Cookie: name=justin; expires=Thu, 07-Sep-2017 22:57:05 GMT; \ path=/;

    domain=.google.com; HttpOnly

32. @justinweiss #deep-sessions Cookie: name=justin; expires=Thu, 07-Sep-2017 22:57:05 GMT; \ path=/;

    domain=.google.com; HttpOnly

33. @justinweiss #deep-sessions Cookie: name=justin; expires=Thu, 07-Sep-2017 22:57:05 GMT; \ path=/;

    domain=.google.com; HttpOnly

34. @justinweiss #deep-sessions Cookie: name=justin; expires=Thu, 07-Sep-2017 22:57:05 GMT; \ path=/;

    domain=.google.com; HttpOnly

35. @justinweiss #deep-sessions okie: name=justin; expi th=/; domain=.google.co

36. @justinweiss #deep-sessions ; expires=Thu, 07-Sep-2017 22:57:05 GMT; gle.com; HttpOnly

37. @justinweiss #deep-sessions Cookie: name=justin; path=/; domain=.google.com; HttpOnly

38. None

39. @justinweiss #deep-sessions ; expires=Thu, 07-Sep-2017 22:57:05 GMT; gle.com; HttpOnly

40. @justinweiss #deep-sessions Cookie: name=justin; expires=Thu, 07-Sep path=/; domain=.google.com; HttpOnly

41. @justinweiss #deep-sessions Cookie: name=justin; expires=Thu, 07-Sep path=/; domain=.google.com; HttpOnly @justinweiss

    #deep-sessions

42. @justinweiss #deep-sessions =justin; expires=Thu, 07-Sep-2017 22:57:0 in=.google.com; HttpOnly

43. @justinweiss #deep-sessions What does this have to do with sessions?

44. @justinweiss #deep-sessions –Archimedes, Junior Web Developer Give a programmer a

    hash table and they will move the earth.

45. @justinweiss #deep-sessions Set-Cookie: name=Justin; Set-Cookie: favorite_color=Blue; Set-Cookie: preferred_language=Ruby;

46. @justinweiss #deep-sessions Set-Cookie: username=justin; path=/; HttpOnly

47. @justinweiss #deep-sessions Set-Cookie: username=admin; path=/; HttpOnly

48. @justinweiss #deep-sessions class UsersController < ApplicationController def greet session[:name] =

    params[:name] if params[:name] render plain: "Hello, #{session[:name]}!" end end

49. @justinweiss #deep-sessions class UsersController < ApplicationController def greet session[:name] =

    params[:name] if params[:name] render plain: "Hello, #{session[:name]}!" end end

50. @justinweiss #deep-sessions $ curl -i "http: //localhost:3000/users/greet?name=Justin" HTTP/1.1 200 OK

    ... Set-Cookie: _session_my_app=OXJ2SkhNaFZBWDd1eDU3djhSekZRdmN6WjNKUjN4dlBiMWt3 bW9sVjM0OERIZ3lPUmV1UFB2MmlySzI0OXJtbTRDdmI3TGd0S3AvMVNjdTlueEo1 Y05zMnE3NTdsMVVmWWFVSXA5NVFOT0U9LS1tM21SL2tIMGhxYjFEWjZjb2Y3ZWln PT0%3D --533f89e5525959c122e31ff7eae5b886b2ed7fe9; path=/; HttpOnly

51. @justinweiss #deep-sessions $ curl -i "http: //localhost:3000/users/greet?name=Justin" HTTP/1.1 200 OK

    ... Set-Cookie: _session_my_app=OXJ2SkhNaFZBWDd1eDU3djhSekZRdmN6WjNKUjN4dlBiMWt3 bW9sVjM0OERIZ3lPUmV1UFB2MmlySzI0OXJtbTRDdmI3TGd0S3AvMVNjdTlueEo1 Y05zMnE3NTdsMVVmWWFVSXA5NVFOT0U9LS1tM21SL2tIMGhxYjFEWjZjb2Y3ZWln PT0%3D --533f89e5525959c122e31ff7eae5b886b2ed7fe9; path=/; HttpOnly

52. @justinweiss #deep-sessions $ curl -i "http: //localhost:3000/users/greet?name=Justin" HTTP/1.1 200 OK

    ... Set-Cookie: _session_my_app=OXJ2SkhNaFZBWDd1eDU3djhSekZRdmN6WjNKUjN4dlBiMWt3 bW9sVjM0OERIZ3lPUmV1UFB2MmlySzI0OXJtbTRDdmI3TGd0S3AvMVNjdTlueEo1 Y05zMnE3NTdsMVVmWWFVSXA5NVFOT0U9LS1tM21SL2tIMGhxYjFEWjZjb2Y3ZWln PT0%3D --533f89e5525959c122e31ff7eae5b886b2ed7fe9; path=/; HttpOnly

53. @justinweiss #deep-sessions Rails.application.config.session_store :cookie_store, key: '_session_my_app' config/initializers/session_store.rb

54. @justinweiss #deep-sessions $ curl -i "http: //localhost:3000/users/greet?name=Justin" HTTP/1.1 200 OK

    ... Set-Cookie: _session_my_app=OXJ2SkhNaFZBWDd1eDU3djhSekZRdmN6WjNKUjN4dlBiMWt3 bW9sVjM0OERIZ3lPUmV1UFB2MmlySzI0OXJtbTRDdmI3TGd0S3AvMVNjdTlueEo1 Y05zMnE3NTdsMVVmWWFVSXA5NVFOT0U9LS1tM21SL2tIMGhxYjFEWjZjb2Y3ZWln PT0%3D --533f89e5525959c122e31ff7eae5b886b2ed7fe9; path=/; HttpOnly

55. @justinweiss #deep-sessions $ curl -i "http: //localhost:3000/users/greet?name=Justin" HTTP/1.1 200 OK

    ... Set-Cookie: _session_my_app=OXJ2SkhNaFZBWDd1eDU3djhSekZRdmN6WjNKUjN4dlBiMWt3 bW9sVjM0OERIZ3lPUmV1UFB2MmlySzI0OXJtbTRDdmI3TGd0S3AvMVNjdTlueEo1 Y05zMnE3NTdsMVVmWWFVSXA5NVFOT0U9LS1tM21SL2tIMGhxYjFEWjZjb2Y3ZWln PT0%3D --533f89e5525959c122e31ff7eae5b886b2ed7fe9; path=/; HttpOnly
56. None

57. @justinweiss #deep-sessions production: secret_key_base: <%= ENV["SECRET_KEY_BASE"] %> config/secrets.yml

58. @justinweiss #deep-sessions Rails.application.key_generator

59. @justinweiss #deep-sessions secret = Rails.application.key_generator .generate_key("encrypted cookie") sign_secret = Rails.application.key_generator

    .generate_key("signed encrypted cookie") encryptor = ActiveSupport ::MessageEncryptor.new( secret, sign_secret, serializer: ActiveSupport ::MessageEncryptor ::NullSerializer)

60. @justinweiss #deep-sessions encryptor.decrypt_and_verify("OXJ2SkhNaFZBWDd1eDU3djhSekZRdmN6W jNKUjN4dlBiMWt3bW9sVjM0OERIZ3lPUmV1UFB2MmlySzI0OXJtbTRDdmI3TGd0 S3AvMVNjdTlueEo1Y05zMnE3NTdsMVVmWWFVSXA5NVFOT0U9LS1tM21SL2tIMGh xYjFEWjZjb2Y3ZWlnPT0= --533f89e5525959c122e31ff7eae5b886b2ed7fe9 ")

61. @justinweiss #deep-sessions { "session_id":"35481e34ef3c0d0ac83e4dccf8520120", "name":"Justin" }

62. @justinweiss #deep-sessions Rails.application.config. action_dispatch.cookies_serializer = :json config/initializers/cookies_serializer.rb

63. @justinweiss #deep-sessions • Rails stores session data inside a single

    cookie • By default, the session data is turned into JSON • Rails signs and encrypts the cookie • The session key and serializer can be configured to be something different

64. @justinweiss #deep-sessions { "session_id":"35481e34ef3c0d0ac83e4dccf8520120", "name":"Justin" }

65. @justinweiss #deep-sessions class UsersController < ApplicationController def greet session[:name] =

    params[:name] if params[:name] render plain: "Hello, #{session[:name]}!" end end

66. @justinweiss #deep-sessions curl -H "Cookie: _session_my_app=OXJ2SkhNaFZBW Dd1eDU3djhSekZRdmN6WjNKUjN4dlBiMWt3bW9sVjM0OER IZ3lPUmV1UFB2MmlySzI0OXJtbTRDdmI3TGd0S3AvMVNjd TlueEo1Y05zMnE3NTdsMVVmWWFVSXA5NVFOT0U9LS1tM21 SL2tIMGhxYjFEWjZjb2Y3ZWlnPT0=—533f89e5525959c

    122e31ff7eae5b886b2ed7fe9; path=/; HttpOnly" "http: //localhost:3000/users/greet" Hello, Justin!

67. @justinweiss #deep-sessions curl -H "Cookie: _session_my_app=OXJ2SkhNaFZBW Dd1eDU3djhSekZRdmN6WjNKUjN4dlBiMWt3bW9sVjM0OER IZ3lPUmV1UFB2MmlySzI0OXJtbTRDdmI3TGd0S3AvMVNjd TlueEo1Y05zMnE3NTdsMVVmWWFVSXA5NVFOT0U9LS1tM21 SL2tIMGhxYjFEWjZjb2Y3ZWlnPT0=—533f89e5525959c

    122e31ff7eae5b886b2ed7fe9; path=/; HttpOnly" "http: //localhost:3000/users/greet" Hello, Justin!

68. @justinweiss #deep-sessions

69. @justinweiss #deep-sessions

70. @justinweiss #deep-sessions

71. @justinweiss #deep-sessions

72. @justinweiss #deep-sessions

73. @justinweiss #deep-sessions Sessions beyond cookies

74. @justinweiss #deep-sessions curl -H "Cookie: _session_my_app={\"book\": Call me Ishmael. Some

    years ago—never mind how long precisely—having little or no money in my purse, and nothing particular to interest me on shore, I thought I would sail about a little and see the watery part of the world. It is a way I have of driving off the spleen and regulating the circulation. Whenever I find myself growing grim about the mouth; whenever it is a damp, drizzly November in my soul; whenever I find myself involuntarily pausing before coffin warehouses, and bringing up the rear of every funeral I meet; and especially whenever my hypos get such an upper hand of me, that it requires a strong moral principle to prevent me from deliberately stepping into the street, and methodically knocking people’s hats off— then, I account it high time to get to sea as soon as I can. This is my substitute for pistol and ball. With a philosophical flourish Cato throws himself upon his sword; I quietly take to the ship. There is nothing surprising in this. If they but knew it, almost all men in their degree, some time or other, cherish very nearly the same feelings towards the ocean with me. There now is your insular city of the Manhattoes, belted round by wharves as Indian isles by coral reefs— commerce surrounds it with her surf. Right and left, the streets take

75. @justinweiss #deep-sessions curl -H "Cookie: _session_my_app={\"book\": Call me Ishmael. Some

    years ago—never mind how long precisely—having little or no money in my purse, and nothing particular to interest me on shore, I thought I would sail about a little and see the watery part of the world. It is a way I have of driving off the spleen and regulating the circulation. Whenever I find myself growing grim about the mouth; whenever it is a damp, drizzly November in my soul; whenever I find myself involuntarily pausing before coffin warehouses, and bringing up the rear of every funeral I meet; and especially whenever my hypos get such an upper hand of me, that it requires a strong moral principle to prevent me from deliberately stepping into the street, and methodically knocking people’s hats off— then, I account it high time to get to sea as soon as I can. This is my substitute for pistol and ball. With a philosophical flourish Cato throws himself upon his sword; I quietly take to the ship. There is nothing surprising in this. If they but knew it, almost all men in their degree, some time or other, cherish very nearly the same feelings towards the ocean with me. There now is your insular city of the Manhattoes, belted round by wharves as Indian isles by coral reefs— commerce surrounds it with her surf. Right and left, the streets take

76. @justinweiss #deep-sessions ActionDispatch::Cookies::CookieOverflow

77. COOKIE OVERFLOW

78. @justinweiss #deep-sessions How do you keep your cookies small?

79. @justinweiss #deep-sessions user_id=1; expires=Thu, 07-Sep-2017 22:57:05 GMT; path=/; domain=.google.com; HttpOnly

80. @justinweiss #deep-sessions What if you don't have an account?

81. @justinweiss #deep-sessions user_id=35481e34ef3c0d0ac83e4dccf8520120; expires=Thu, 07- Sep-2017 22:57:05 GMT; path=/; domain=.google.com;

    HttpOnly

82. @justinweiss #deep-sessions session_id=35481e34ef3c0d0ac83e4dccf8520120; expires=Thu, 07- Sep-2017 22:57:05 GMT; path=/; domain=.google.com;

    HttpOnly

83. @justinweiss #deep-sessions 1. Store the data in the cookie 2.

    Store a reference to the data in the cookie

84. @justinweiss #deep-sessions session[:name] = "Justin"

85. @justinweiss #deep-sessions Creating an ActiveRecord session 1. Generate a new

    random session id 2. Turn the session hash into a string 3. Save the id and data to a sessions table in your database 4. Return the session id with Set-Cookie:

86. @justinweiss #deep-sessions Rails.application.config.session_store :cookie_store, key: '_session_my_app'

87. @justinweiss #deep-sessions Rails.application.config.session_store :active_record_store, key: '_session_my_app'

88. @justinweiss #deep-sessions $ curl -i "http: //localhost:3000/users/greet?name=Justin" HTTP/1.1 200 OK

    ... Set-Cookie: _session_my_app=a6c4946995fe1a7fe0e472610c368858; path=/; HttpOnly Hello, Justin!

89. @justinweiss #deep-sessions $ curl -i "http: //localhost:3000/users/greet?name=Justin" HTTP/1.1 200 OK

    ... Set-Cookie: _session_my_app=a6c4946995fe1a7fe0e472610c368858; path=/; HttpOnly Hello, Justin!

90. @justinweiss #deep-sessions $ curl -i "http: //localhost:3000/users/greet?name=Justin" HTTP/1.1 200 OK

    ... Set-Cookie: _session_my_app=a6c4946995fe1a7fe0e472610c368858; path=/; HttpOnly Hello, Justin! session_id | data a6c4946995fe1a7fe0e472610c368858 | BAh7BkkiCW5hbWUGOgZFRkkiC0p1c3RpbgY7AFQ=

91. @justinweiss #deep-sessions curl -H "Cookie: _session_my_app=a6c4946995fe1a7fe0e472610c368858; path=/; HttpOnly" "http: //localhost:3000/users/greet"

    Hello, Justin!

92. @justinweiss #deep-sessions Finding an ActiveRecord session 1. Grab the session

    id out of the cookie 2. Look up the session id in the database 3. Grab the data associated with that id 4. Turn that data back into the sessions hash

93. @justinweiss #deep-sessions CacheStore ActiveRecordStore RedisSessionStore MongoSessionStore …

94. @justinweiss #deep-sessions Your Very Own Session Store • find_session •

    write_session • delete_session

95. @justinweiss #deep-sessions Two kinds of session store • CookieStore: store

    all data in the cookie • Everything Else: store a pointer to data in the cookie

96. @justinweiss #deep-sessions Two kinds of session store • CookieStore: store

    all data in the cookie • Everything Else: store a pointer to data in the cookie

97. @justinweiss #deep-sessions Which session store is right for you?

98. @justinweiss #deep-sessions Cookie Store • No extra setup • Syncs

    with the browser lifecycle • Can only store 4kb of data • Risk of session replay attacks

99. @justinweiss #deep-sessions Cookie Store • No extra setup • Syncs

    with the browser lifecycle • Can only store 4kb of data • Risk of session replay attacks

100. @justinweiss #deep-sessions CacheStore • You probably already have a cache

     • Built into Rails • Fast -- usually kept in memory • Sessions and cache fight for space - sessions can get kicked out • Resetting your cache expires all sessions

101. @justinweiss #deep-sessions CacheStore • You probably already have a cache

     • Built into Rails • Fast -- usually kept in memory • Sessions and cache fight for space - sessions can get kicked out • Resetting your cache expires all sessions

102. @justinweiss #deep-sessions CacheStore • You probably already have a cache

     • Built into Rails • Fast -- usually kept in memory • Sessions and cache fight for space - sessions can get kicked out • Resetting your cache expires all sessions

103. @justinweiss #deep-sessions CacheStore • You probably already have a cache

     • Built into Rails • Fast -- usually kept in memory • Sessions and cache fight for space - sessions can get kicked out • Resetting your cache expires all sessions

104. @justinweiss #deep-sessions DatabaseStore • Keeps session data around until expiration

     • Need to clean up expired sessions • Might have capacity issues as session data grows

105. @justinweiss #deep-sessions DatabaseStore • Keeps session data around until expiration

     • Need to clean up expired sessions • Might have capacity issues as session data grows

106. @justinweiss #deep-sessions DatabaseStore • Keeps session data around until expiration

     • Need to clean up expired sessions • Might have capacity issues as session data grows

107. @justinweiss #deep-sessions What’s the best session store? • CookieStore •

     CacheStore • Database Store
108. None

109. @justinweiss #deep-sessions Leaking Session IDs

110. None
111. None

112. @justinweiss #deep-sessions Use HTTPS!

113. @justinweiss #deep-sessions config.force_ssl = true config/environments/production.rb

114. @justinweiss #deep-sessions Set-Cookie: _session_my_app=d01b4e1c3d9238e82452c678d0660cf4; path=/; secure; HttpOnly

115. @justinweiss #deep-sessions JavaScript and Cross-site Scripting

116. @justinweiss #deep-sessions document.cookie

117. None

118. @justinweiss #deep-sessions Set-Cookie: _session_my_app=d01b4e1c3d9238e82452c678d0660cf4; path=/; HttpOnly

119. @justinweiss #deep-sessions Replay Attacks

120. @justinweiss #deep-sessions Set-Cookie: _session_my_app= '{"session_id":"35481e34ef3c0d0ac83e4dccf8520120", "credit":"400"}'

121. @justinweiss #deep-sessions Set-Cookie: _session_my_app= '{"session_id":"35481e34ef3c0d0ac83e4dccf8520120", "credit":"9999999"}'

122. @justinweiss #deep-sessions Set-Cookie: _session_my_app=encrypted-string-with-value-400 Cookie: _session_my_app=encrypted-string-with-value-400 Set-Cookie: _session_my_app=encrypted-string-with-value-300 Cookie: _session_my_app=encrypted-string-with-value-400

123. @justinweiss #deep-sessions Set-Cookie: _session_my_app=encrypted-string-with-value-400 Cookie: _session_my_app=encrypted-string-with-value-400 Set-Cookie: _session_my_app=encrypted-string-with-value-300 Cookie: _session_my_app=encrypted-string-with-value-400

124. @justinweiss #deep-sessions Set-Cookie: _session_my_app=encrypted-string-with-value-400 Cookie: _session_my_app=encrypted-string-with-value-400 Set-Cookie: _session_my_app=encrypted-string-with-value-300 Cookie: _session_my_app=encrypted-string-with-value-400

125. @justinweiss #deep-sessions Set-Cookie: _session_my_app=encrypted-string-with-value-400 Cookie: _session_my_app=encrypted-string-with-value-400 Set-Cookie: _session_my_app=encrypted-string-with-value-300 Cookie: _session_my_app=encrypted-string-with-value-400

126. @justinweiss #deep-sessions Set-Cookie: _session_my_app=encrypted-string-with-value-400 Cookie: _session_my_app=encrypted-string-with-value-400 Set-Cookie: _session_my_app=encrypted-string-with-value-300 Cookie: _session_my_app=encrypted-string-with-value-400

127. @justinweiss #deep-sessions Session Best Practices

128. @justinweiss #deep-sessions Prepare for the session to go away at

     any time

129. @justinweiss #deep-sessions Don’t store complex objects

130. @justinweiss #deep-sessions # == Schema Information # # Table name:

     cart_items # # id :integer not null, primary key # title :string # quantity :integer # created_at :datetime # updated_at :datetime # class CartItem < ActiveRecord ::Base ... end

131. @justinweiss #deep-sessions # == Schema Information # # Table name:

     cart_items # # id :integer not null, primary key # name :string # quantity :integer # created_at :datetime # updated_at :datetime # class CartItem < ActiveRecord ::Base ... end
132. None

133. @justinweiss #deep-sessions • ❌ Reverse the change • ❌ Delete

     all sessions • ✅ Go into the corner and cry

134. @justinweiss #deep-sessions • ❌ Reverse the change • ❌ Delete

     all sessions • ✅ Go into the corner and cry

135. @justinweiss #deep-sessions Store references to objects, not objects themselves.

136. @justinweiss #deep-sessions Use sessions with intent

137. @justinweiss #deep-sessions Use sessions with intent

138. @justinweiss #deep-sessions Use sessions with intent

139. @justinweiss #deep-sessions How to debug session problems

140. @justinweiss #deep-sessions Isolate the problem

141. @justinweiss #deep-sessions expected input … problem area … expected output

142. None

143. @justinweiss #deep-sessions What if your server’s working fine?

144. @justinweiss #deep-sessions mitmproxy

145. None

146. @justinweiss #deep-sessions Check your domain settings! path=/; domain=.google.com;

147. @justinweiss #deep-sessions Decrypt your cookies CookieDecryptor.decrypt("OXJ2SkhN…")

148. @justinweiss #deep-sessions Sessions are core to the modern web

149. None

150. @justinweiss #deep-sessions Complexity layered on • More data? Serialize it

     / Store a pointer. • Tampering? Add encryption. • Cross-site Scripting? Add HttpOnly. • Snooping? Add Secure.

151. It’s just code

152. It’s just code

153. @justinweiss #deep-sessions My Three Phases of Understanding 1. Do more

     of the thing that isn’t working 2. Avoid the thing that isn’t working 3. Learn the thing! (And use it correctly)
154. None

155. @justinweiss #deep-sessions Justin Weiss @justinweiss https://www.avvo.com [email protected] https://www.justinweiss.com/railsconf-2017 Thank you!

156. @justinweiss #deep-sessions Justin Weiss @justinweiss https://www.avvo.com [email protected] https://www.justinweiss.com/railsconf-2017 Thank you!

157. @justinweiss #deep-sessions Justin Weiss @justinweiss https://www.avvo.com [email protected] https://www.justinweiss.com/railsconf-2017 Thank you!

158. @justinweiss #deep-sessions Justin Weiss @justinweiss https://www.avvo.com [email protected] https://www.justinweiss.com/railsconf-2017 Thank you!

159. @justinweiss #deep-sessions Image Credits