Agreed all the previous stuff... > The reason nobody can ever spoof a session is that they can never generate > the needed hash because they don't have the @@state_secret piece of text > needed to do so, hopefully! This presents a challenge for open source. We > really need to raise an error if anyone tries to use CookieSessions without > setting the @state_secret to something other than nil or "". Maybe one good
I don't think raising a error is _required_, filling the log with a meaningful message / advice should be enough. > solution is to add logic to CookieSessions so that if it is run without a > @@state_secret supplied, it creates a file containing the state_secret, > filling it with totally random characters. This too is a terrible security > risk though, as the camping app may be being run in a webserver like apache > or lighttpd, and that state_secret file generated may be readable by the web > server. If an attacker can simply download a file telling them the state > secret, it's game over. The only sensible default I could think of was the > source code to the application itself, still problematic for open source, > but would allow people to build apps without specifying an @state_secret and Interesting idea. > have a unique value used anyway. As they change the source code during > development, they would be repeatedly signed out. I couldn't figure out a I think it would be more a annoyance than a real trouble for the users. The Web in intrinsecally broken. > way to do this well with the current release of camping. For you idea of using the source cod (I think it could be more than enough) I think anotehr variations could be: - Using a directory listing of the app. - The value of a environment variable ( - The timestamp (or something derived) of the folder containing the app. - The path where the app is intalled - etc -- Aníbal > > — > Jenna > > On 26/05/2008, at 7:45 AM, Aria Stewart wrote: > >> On Sat, 2008-05-24 at 22:43 -0500, _why wrote: >>> >>> On Sun, May 25, 2008 at 12:25:08AM +0200, Magnus Holm wrote: >>>> >>>> * The cookie session is named Camping::Session and is placed in >>>> camping/session.rb. Maybe this should be called Camping::CookieSession >>>> or??? >>> >>> You know, these cookie sessions seem like they could be a problem. >>> A lot of sessions would contain just the hash and the user name. >>> So, spoof the user name and you're in, you know? >> >> Agreed, without an HMAC signature. >> >> _______________________________________________ >> Camping-list mailing list >> [email protected] >> http://rubyforge.org/mailman/listinfo/camping-list > > _______________________________________________ > Camping-list mailing list > [email protected] > http://rubyforge.org/mailman/listinfo/camping-list > _______________________________________________ Camping-list mailing list [email protected] http://rubyforge.org/mailman/listinfo/camping-list
