ok, still trying to solve this mystery.
I have been reading through merb-core looking for the correct way to
remove the old bad session cookie simply to issue a new one.
The closest I have come to a solution is in my Exceptions controller
adding the method:
def tampered_with_cookie
self.needs_new_cookie!
message[:notice] = "Your session cookie was invalid and has been
reset."
return redirect(url(:home), :message => message)
end
This does not work since needs_new_cookie! is marked as private. So I
can either figure out how to force merb to let me use this private
method (still not sure this would give me the desired behavior) or I
can find some other route.
Another mystery, TamperedWithCookie is a subclass of StandardError.
According to merb's docs, only ControllerExceptions get the special
treatment of being renamed and dispatched to your Exceptions
controller. There is a catch all internal_server_error that would
have needed to be defined for TamperedWithCookie. but no, for some
reason tampered_with_cookie does get called.
ugghhh!!!
Jon
On Jan 19, 7:10 pm, Jon Hancock <[email protected]> wrote:
> Thanks for pointing to some of the code. I see it does not behave as
> I thought. Subtle so but with effects that caused me to have an
> incorrect mental model of what was happening in dev vs. production.
>
> So for production mode, I'm supposed to catch TamperedWithCookie for
> the entire app, including the auth slice which will not inherit from
> my Application.
> Does anyone have sample code for this?
> I only need simple behavior of "if the cookie is invalid, clear it and
> create a new empty one".
>
> I have looked through the code and it is craftily written to not throw
> an exception in dev mode (ignore_tampered_cookies = true). By having
> the crafty solution, there is no path to what to do for production
> mode.
> It seems it would be better to throw the exception in all cases where
> the cookie digest is incorrect and have a stock exception hander set
> for ignore_tampered_cookies = true. This gives the app developer a
> very clear path for just plugging/overriding a different handler for
> production mode.
> At the moment, I'm at a loss how to stuff this new global behavior
> into my app.
>
> thanks, Jon
>
> On Jan 19, 4:21 pm, Roy Wright <[email protected]> wrote:
>
> > You might have found this already:
>
> > in config/environments/development.rb
>
> > Merb::Config.use { |c|
> > c[:ignore_tampered_cookies] = true
>
> > Then search on ignore_tampered_cookies which will find
> > cookie.rb where TamperedWithCookie exception is raised.
>
> > HTH,
> > Roy
>
> > On Jan 19, 2009, at 1:58 AM, Jon Hancock wrote:
>
> > > now I've pushed some more code into production and retested. In
> > > production mode I get a proper "Tampered with cookie" error. In
> > > development mode, it seems to be blissfully ignoring the fact that my
> > > session_secret_key has changed.
>
> > > This isn't a serious security problem. Now I need to figure out how
> > > to deal with the production error. The default behavior of showing
> > > the end user a merb exception page isn't very interesting. What I
> > > want is to simply throw away the old cookie as it isn't actually
> > > tampered with.
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"merb" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to [email protected]
For more options, visit this group at http://groups.google.com/group/merb?hl=en
-~----------~----~----~----~------~----~------~--~---
