[Rails-core] Re: Replay attacks with cookie session

S. Robert James Thu, 22 Mar 2007 12:51:40 -0800


On Mar 22, 3:08 pm, Courtenay <[EMAIL PROTECTED]> wrote:
> You're forgetting that:
>     (a) sessions already use cookies to store the session ID, so any
> issues with cookie interception or other attacks apply to all session
> storage methods.

Not true.  Example: if, on logout, you update the session in the DB to
state "No User", the cookie is worthless.

>     (b) you can't change the contents of the cookie or it will fail the HMAC.

Yes, but you can replay them.  See my first post.

> If you're overly concerned with "user_id" haxoring, just use a guid
> instead of DB id in your User.find

Won't help - see earlier posts.


--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups "Ruby 
on Rails: Core" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to [EMAIL PROTECTED]
For more options, visit this group at 
http://groups.google.com/group/rubyonrails-core?hl=en
-~----------~----~----~----~------~----~------~--~---

[Rails-core] Re: Replay attacks with cookie session

Reply via email to