On Mar 22, 8:27 pm, "Jeremy Kemper" <[EMAIL PROTECTED]> wrote:
> For example: to prevent user_id replay, store a last access timestamp
> in session that's updated on login and logout.
Store the last access *where*?
In Mongrel? But only one Mongrel can know that without them talking to
each other.
In the DB? So we need to hit the DB each time, only we need to do it
manually?
In a temp file? That's back to the default session store.
In the cookie itself? We haven't solved the problem. If the attacker
fishes out an older cookie - and, believe me, they're still on the
disk - he does a replay attack.
I think this is a fair question: most of the people arguing that
cookie stores are safe have also pointed out that they're not crypto
experts. Or security experts. Which is fine - I'm sure their top
notch developers. Before making something which relies on crypto the
Rails default, doesn't it make sense to have at least _one_ crypto or
security consultant review it? Perhaps Schneier will take a look...
SRJ, over-and-out
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups "Ruby
on Rails: Core" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to [EMAIL PROTECTED]
For more options, visit this group at
http://groups.google.com/group/rubyonrails-core?hl=en
-~----------~----~----~----~------~----~------~--~---
