On Mar 21, 2007, at 19:43, S. Robert James wrote: > I'm concerned about the possibility of replay attacks with cookie > sessions. This is a standard security issue. > > Example: > 1. User receives credits, stored in his session > 2. User buys something > 3. User gets his new, lower credits stored in his session
Your example scenario is unrealistic. If you really think it's a good idea to store such important stuff as your user's credit in a session instead of in your database you probably have bigger issues to worry about. :) As long as you only use the session to maintain the id of the authenticated user and for flash messages there's absolutely nothing to worry about. Kind regards, Thijs P.S. If you really _do_ think it's a good idea to store your user's credit in the session, please google for 'share-nothing' and 'database transactions' and do some reading. -- Fingertips - http://www.fngtps.com Phone: +31 (0)6 24204845 Skype: tvandervossen MSN Messenger: [EMAIL PROTECTED] iChat/AOL: [EMAIL PROTECTED] Jabber IM: [EMAIL PROTECTED] --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Core" group. To post to this group, send email to rubyonrails-core@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/rubyonrails-core?hl=en -~----------~----~----~----~------~----~------~--~---
