On Mar 22, 2007, at 2:08 PM, Courtenay wrote: > > On 3/22/07, Brad Ediger <[EMAIL PROTECTED]> wrote: >>> The point is, answering these questions is hard. Witness the >>> confusion in this thread alone. DIY cryptosystems are hard: >>> professionals fail. WEP failed. Does it make sense to push all >>> these >>> questions onto each new Rails developer's shoulders? >> >> And I think that is exactly what it comes to. That's kind of where I >> landed with that post when I started considering what user_id really >> meant. >> >> As neat as cookie sessions are, I don't think I'm going to use them >> to store authentication info anymore. Too many question marks. > > You're forgetting that: > (a) sessions already use cookies to store the session ID, so any > issues with cookie interception or other attacks apply to all session > storage methods. > (b) you can't change the contents of the cookie or it will fail > the HMAC. > > If you're overly concerned with "user_id" haxoring, just use a guid > instead of DB id in your User.find
Umm... did you read the thread? No, I'm not forgetting any of that, and those are not my points at all. (a) Cookie sessions are vulnerable to replay attacks, because the client can present *any* cookie that it has seen to the server, not just the most recently sent one. On the other hand, server-side storage methods are not vulnerable because the session ID always references the latest version of the session. (b) Of course the HMAC would fail if you change the session. I'm not talking about changing the session. I never was. What worries me is this: 1. I log in; I get session cookie A which corresponds to "user_id=12345" with the HMAC and everything. 2. I log out and my session cookie is "deleted" -- in the sense of not being presented to the server anymore. It may hang out on disk or memory. 3. Someone finds the session and presents it to the server. Since it is signed by the server, it is accepted and that user is logged in. Suddenly, a token which had no value after logout (a session ID) now has immense value (session cookie) because possession of it allows one to impersonate me at any time in the future. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Core" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/rubyonrails-core?hl=en -~----------~----~----~----~------~----~------~--~---
