“But actually it’s possible to guess your cookie since they always same and didn’t xored”
Rodrigo Rosenfeld Rosas

Only CRIME exploit could guess cookie. Attacker don’t need to decipher it, and mess with it. He need to gues it whole, to steal session.

With CRIME exploit this was possible, and encryption done by Rails doesn’t protect from CRIME attack. The only protection was to disable HTTPS compression.

BREACH cannot do this because it targets body compression, so main vulnerability for BREACH is csrf-token placed inside response, which is protected in rails with those xors.

One clap, two clap, three clap, forty?

By clapping more or less, you can signal to us which stories really stand out.