Jon, You should probably take a look at the cookie session implentation itself. There is an unmarshal method that detects if the cookie has been tampered with or not. You could create your own cookie session implementation that would create a new cookie rather than just complain.
merb-core/lib/dispatch/session/cookie.rb Personally, i had to create my own cookie session store that would not constantly regenerate the session id and i used the stock cookie implementation as a guide. Michael On Tue, Jan 20, 2009 at 10:04 AM, Jon Hancock <[email protected]> wrote: > > ok, still trying to solve this mystery. > I have been reading through merb-core looking for the correct way to > remove the old bad session cookie simply to issue a new one. > The closest I have come to a solution is in my Exceptions controller > adding the method: > > def tampered_with_cookie > self.needs_new_cookie! > message[:notice] = "Your session cookie was invalid and has been > reset." > return redirect(url(:home), :message => message) > end > > This does not work since needs_new_cookie! is marked as private. So I > can either figure out how to force merb to let me use this private > method (still not sure this would give me the desired behavior) or I > can find some other route. > > Another mystery, TamperedWithCookie is a subclass of StandardError. > According to merb's docs, only ControllerExceptions get the special > treatment of being renamed and dispatched to your Exceptions > controller. There is a catch all internal_server_error that would > have needed to be defined for TamperedWithCookie. but no, for some > reason tampered_with_cookie does get called. > > ugghhh!!! > > Jon > > > On Jan 19, 7:10 pm, Jon Hancock <[email protected]> wrote: > > Thanks for pointing to some of the code. I see it does not behave as > > I thought. Subtle so but with effects that caused me to have an > > incorrect mental model of what was happening in dev vs. production. > > > > So for production mode, I'm supposed to catch TamperedWithCookie for > > the entire app, including the auth slice which will not inherit from > > my Application. > > Does anyone have sample code for this? > > I only need simple behavior of "if the cookie is invalid, clear it and > > create a new empty one". > > > > I have looked through the code and it is craftily written to not throw > > an exception in dev mode (ignore_tampered_cookies = true). By having > > the crafty solution, there is no path to what to do for production > > mode. > > It seems it would be better to throw the exception in all cases where > > the cookie digest is incorrect and have a stock exception hander set > > for ignore_tampered_cookies = true. This gives the app developer a > > very clear path for just plugging/overriding a different handler for > > production mode. > > At the moment, I'm at a loss how to stuff this new global behavior > > into my app. > > > > thanks, Jon > > > > On Jan 19, 4:21 pm, Roy Wright <[email protected]> wrote: > > > > > You might have found this already: > > > > > in config/environments/development.rb > > > > > Merb::Config.use { |c| > > > c[:ignore_tampered_cookies] = true > > > > > Then search on ignore_tampered_cookies which will find > > > cookie.rb where TamperedWithCookie exception is raised. > > > > > HTH, > > > Roy > > > > > On Jan 19, 2009, at 1:58 AM, Jon Hancock wrote: > > > > > > now I've pushed some more code into production and retested. In > > > > production mode I get a proper "Tampered with cookie" error. In > > > > development mode, it seems to be blissfully ignoring the fact that my > > > > session_secret_key has changed. > > > > > > This isn't a serious security problem. Now I need to figure out how > > > > to deal with the production error. The default behavior of showing > > > > the end user a merb exception page isn't very interesting. What I > > > > want is to simply throw away the old cookie as it isn't actually > > > > tampered with. > > > --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "merb" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/merb?hl=en -~----------~----~----~----~------~----~------~--~---
