[Rails-core] Re: Replay attacks with cookie session

[S. Robert James]

On Mar 22, 3:21 pm, "Jeremy Evans" <[EMAIL PROTECTED]> wrote:
> It's possible mitigate the problem somewhat by having an expiration
> time put into the session (which cannot be modified by an attacker due
> to the HMAC).  However, you still won't be able to manually expire
> sessions (i.e. log out).

This will only help in cases where the attacker wants to steal
someone's identity.  But there are other uses of a replay attack -
like the example I initially mentioned - where this won't help at
all.  And even in the identity theft case - what's to stop the
attacker from using the computer 5 minutes after I leave?

In general, I'd offer the amount of confusion on this thread as the
best evidence that the average developer shouldn't have to deal with
these issues by default.


--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups "Ruby 
on Rails: Core" group.
To post to this group, send email to rubyonrails-core@googlegroups.com
To unsubscribe from this group, send email to [EMAIL PROTECTED]
For more options, visit this group at 
http://groups.google.com/group/rubyonrails-core?hl=en
-~----------~----~----~----~------~----~------~--~---