On Wednesday, June 17, 2015 at 4:52:00 AM UTC-4, Thomas Heller wrote:
>
> Hey,
>
> the issue is not in clojure.core. It is with ring in this case, it uses
> clojure.tools.reader.edn/read-string which supports an optional {:readers
> {...}} argument but there is no way to specify those in ring. Should be a
> fairly simple fix though, doing anything to clojure.edn won't help as it is
> not used.
>
> On another note: Sessions in cookies should be VERY VERY small.
> java.io.Serializable usually isn't small and especially if you go java
> object -> binary -> base64 -> base64 (yes twice) -> encrypt. The size of
> the cookie matters as it is transmitted with EVERY request.
>
> I would recommend writing print-method implementation for the Java objects
> you need to serialize and keeping those to a minimum. Session cookies are
> not arbitrary storage and writing a "transparent" serialization format that
> doesn't check the size will lead to uncontrolled growth. I have seen way
> too many web apps with cookies above 4kb. One even had Apache configured to
> reject requests (well, default config) that had too large cookies and no
> one even noticed except for the users that left confused and never came
> back.
>
> Just as a warning. :)
>
If you really do need to store session state that can potentially grow that
large, your best bet is to stick it in a server-side database and put that
table's primary key in the client-side cookie, looking up the state object
on receiving it back. This also prevents the end-user or a MITM from
monkeying with the state, which might prevent some types of attacks
(typically, session hijacking methods that aren't simple replay attacks, or
cheating to give yourself the super-duper armor for free in an online game,
or whatever). Remember when AT&T was embarrassed by some guy finding he
could peek at every customer's data just by changing an &custID=nnn sort of
URL parameter? Same thing can happen with a cookie that just says "logged
in as user#6178" or equivalent. Change it to "6179" and boom you're someone
else. But if the cookie is something like a random UUID that points to a
server-side DB entry that says "logged in as user#6178" fiddling with the
UUID will just produce error messages. Just don't use an autoincrement
integer PK or you are right back where you started. :)
--
You received this message because you are subscribed to the Google
Groups "Clojure" group.
To post to this group, send email to clojure@googlegroups.com
Note that posts from new members are moderated - please be patient with your
first post.
To unsubscribe from this group, send email to
clojure+unsubscr...@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/clojure?hl=en
---
You received this message because you are subscribed to the Google Groups
"Clojure" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to clojure+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
