I'm concerned about the possibility of replay attacks with cookie sessions. This is a standard security issue.
Example: 1. User receives credits, stored in his session 2. User buys something 3. User gets his new, lower credits stored in his session 4. Evil hacker takes his saved cookie from step #1 and pastes it back in his browser's cookie jar. Now he's gotten his credits back. This is normally solved using something called nonce - each signing includes a once only code, and the signer keeps track of all of the codes, and rejects any message with the code repeated. But that's very hard to do here, since there may be several app servers (mongrels). Of course, we could store the nonce in the DB - but that defeats the entire purpose! --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Core" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/rubyonrails-core?hl=en -~----------~----~----~----~------~----~------~--~---
