Much of internet security is centered around protecting the user and the user's information. In building web apps, there are two main ways to store that information: cookies and sessions. Here let's go over a few quick differences of the two, and delve into the high level of protecting your users against some of these attacks.
One thing that makes a session different is that the session is deleted when the user closes the browser.
How? Well, sessions uses a temporary cookie on the user's browser to store information -- usually it's an encrypted version of the user's id. In a Rails application, the client would pass this encrypted user id back to the server --where the server would decrypt it and query the right id. As per usual protocol, the session is created and destroyed when logging-in and logging-out.
Cookies persist even after the browser closes. Moreover, cookies persist while the users navigates from one page to the next.
Unfortunately, users can block or delete cookies -- making cookie-based features useless.
Unlike Sessions, Cookies are not automatically secure. There are 4 main ways cookies can be compromised:
To prevent these attacks, you can respectively:
Cross-site scripting (XSS) enables attackers to inject client-side scripts into web pages that the user trusts (like through a form's comments). A XSS vulnerability may be used to let attackers bypass access controls such as the same-origin policy.
Cross-site request forgery (XSRF), or one-click attack, exploits the trust a site has in a user's browser. While authenticated on a website (like a bank website), the user might accidentally click on a script that instigates the XSRF attack. See more heres.
More on security!
Rails Tutorial, Salting a Password Hash