Yeah I'd be interested in a cookie store. But th security concerns are valid so we would need to investigate thouroughly
Ezra Sent from my iPhone On Aug 17, 2007, at 10:08 AM, "ry dahl" <[EMAIL PROTECTED]> wrote: > I like the cookie sessions that Rails edge has - they make sense, > they're fast, easy. > > For those that don't know: the default session mechanism is to give > developers a Hash called session. To store this object between > requests it Marshals the session object and sends the object itself > (now as a bitstream) back to clients to store in their cookie file. To > prevent users from tampering with this data, a cryptographic digest > (using HMAC with SHA-1) is sent along with the bitstream). > > The major problem with this scheme is that the Marshalled data is not > at all encrypted! Users are free to unmarshal and examine what > websites are storing in their sessions. They cannot change the data, > but nevertheless this is a security problem! > > The answers given by the rails developers sound rather naïve: >> This is getting into very difficult crypto. Basically, depending on >> the cipher, there >> may be cases where you can change one part of the text without >> changing the other. > Not that I know much about cryptography, but I'm almost certain that > modifying AES encrypted Marshaled data is quite tamper proof. If not, > one could at least send a digest along with it. > > There has been some mention of the extra AES operation slowing down > speed (but it's been said it's not much of a slowdown), I think having > secure cookies would be well worth the cost. > > Is there interest in this type of session for Merb? > Related: I've just wrote a CookieJar class - perhaps it would be > useful for Merb? > http://rubyforge.org/pipermail/mongrel-users/2007-August/003890.html > > ry > _______________________________________________ > Merb-devel mailing list > [email protected] > http://rubyforge.org/mailman/listinfo/merb-devel _______________________________________________ Merb-devel mailing list [email protected] http://rubyforge.org/mailman/listinfo/merb-devel
