On 3/21/07, Brad Ediger <[EMAIL PROTECTED]> wrote: > > Heh... how about a user ID? What if an evil hacker sets it to 1, assuming > that the first user is likely to be admin? >
He can't, the HMAC wouldn't verify. > Ah, that's right. So the only possible attack vector here is copying the entire cookie, including HMAC? OK, how about making this option available, but not default? And documenting explicitly that if you switch to this option, you should be extremely cautious about putting what you called "sensitive transient data" in the session? This looks like a good compromise, because people with a clue would still use it (for both maintainability and performance benefits) while people without a clue will have to figure it out, and hopefully read the warning in the docs. Personally, I'd much rather deal with beginners having "Rails performance sucks" pains early on (because of file-based sessions), rather than discovering that "Rails security is totally screwed" a year after production. Alex --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Core" group. To post to this group, send email to rubyonrails-core@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/rubyonrails-core?hl=en -~----------~----~----~----~------~----~------~--~---
