I like the cookie sessions that Rails edge has - they make sense, they're fast, easy.
For those that don't know: the default session mechanism is to give developers a Hash called session. To store this object between requests it Marshals the session object and sends the object itself (now as a bitstream) back to clients to store in their cookie file. To prevent users from tampering with this data, a cryptographic digest (using HMAC with SHA-1) is sent along with the bitstream). The major problem with this scheme is that the Marshalled data is not at all encrypted! Users are free to unmarshal and examine what websites are storing in their sessions. They cannot change the data, but nevertheless this is a security problem! The answers given by the rails developers sound rather naïve: > This is getting into very difficult crypto. Basically, depending on the > cipher, there > may be cases where you can change one part of the text without changing the > other. Not that I know much about cryptography, but I'm almost certain that modifying AES encrypted Marshaled data is quite tamper proof. If not, one could at least send a digest along with it. There has been some mention of the extra AES operation slowing down speed (but it's been said it's not much of a slowdown), I think having secure cookies would be well worth the cost. Is there interest in this type of session for Merb? Related: I've just wrote a CookieJar class - perhaps it would be useful for Merb? http://rubyforge.org/pipermail/mongrel-users/2007-August/003890.html ry _______________________________________________ Merb-devel mailing list [email protected] http://rubyforge.org/mailman/listinfo/merb-devel
