On 3/22/07, Brad Ediger <[EMAIL PROTECTED]> wrote:
> > The point is, answering these questions is hard. Witness the
> > confusion in this thread alone. DIY cryptosystems are hard:
> > professionals fail. WEP failed. Does it make sense to push all these
> > questions onto each new Rails developer's shoulders?
>
> And I think that is exactly what it comes to. That's kind of where I
> landed with that post when I started considering what user_id really
> meant.
>
> As neat as cookie sessions are, I don't think I'm going to use them
> to store authentication info anymore. Too many question marks.
You're forgetting that:
(a) sessions already use cookies to store the session ID, so any
issues with cookie interception or other attacks apply to all session
storage methods.
(b) you can't change the contents of the cookie or it will fail the HMAC.
If you're overly concerned with "user_id" haxoring, just use a guid
instead of DB id in your User.find
court3nay
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups "Ruby
on Rails: Core" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to [EMAIL PROTECTED]
For more options, visit this group at
http://groups.google.com/group/rubyonrails-core?hl=en
-~----------~----~----~----~------~----~------~--~---
