On Fri, Jun 6, 2008 at 6:07 AM, Magnus Holm <[EMAIL PROTECTED]> wrote:
> It looks like everyone has tried to fix the cookies lately, and no-one > managed > to get it 100% correctly... > Thanks for the code, that seems to work really well and prettily. I admit that, though I love writing apps in it, I am very new to hacking on the dark underbelly of Camping. (Me, I just wanted to get sessions to work in the Junebug wiki for a Ruby class I'm teaching some friends.) Your new patch makes sense to me. I'd be interested to hear a discussion of why the Bluebie version didn't work, because I thought that made sense too. :) I do like Jenna's streamlining of the session handling stuff: http://github.com/Bluebie/camping/commit/8ef1e532453fd378b003f967c034c78f64dbc802 I tend to agree that for most Camping apps it's probably okay to keep the cookie session around for the whole browser session, and that trying to prevent session hijacking with IP addresses/UA strings is going to be annoying for a fair amount of people. On the other hand, removing the timeout and remote address stuff does make it stupidly easy to steal a session, since all the session data is sent in essentially cleartext with every request. (This is of course only very slightly worse than, say, a username/password being sent in cleartext once during a login.) Tricky tricky! Myself, I'd prefer to keep Camping sessions super-simple, and just make sure that the limitations are documented and the necessity of something like OpenID or SSL is emphasized if you need really real security. Like this: http://rubyforge.org/pipermail/camping-list/2008-May/000712.html and also this: http://rubyforge.org/pipermail/camping-list/2008-May/000722.html devin ('qwzybug')
_______________________________________________ Camping-list mailing list [email protected] http://rubyforge.org/mailman/listinfo/camping-list
