I forgot to mention though, the signing just stops users from changing
the session data without the server knowing, it doesn't stop them from
reading it. Any data in the session when using the cookie sessions
store only needs to be base64 decoded and unmarshaled with ruby to
find out what's inside. As far as i'm concerned, any app that's
keeping secrets from me about me is not the kind of app I want to be
using anyway.
On 25/05/2008, at 1:43 PM, _why wrote:
On Sun, May 25, 2008 at 12:25:08AM +0200, Magnus Holm wrote:
* The cookie session is named Camping::Session and is placed in
camping/session.rb. Maybe this should be called
Camping::CookieSession or???
You know, these cookie sessions seem like they could be a problem.
A lot of sessions would contain just the hash and the user name.
So, spoof the user name and you're in, you know?
_why
_______________________________________________
Camping-list mailing list
[email protected]
http://rubyforge.org/mailman/listinfo/camping-list
_______________________________________________
Camping-list mailing list
[email protected]
http://rubyforge.org/mailman/listinfo/camping-list
