> I think this is a fair question: most of the people arguing that > cookie stores are safe have also pointed out that they're not crypto > experts. Or security experts. Which is fine - I'm sure their top > notch developers. Before making something which relies on crypto the > Rails default, doesn't it make sense to have at least _one_ crypto or > security consultant review it? Perhaps Schneier will take a look...
If you'd like to coordinate this, I'd definitely be glad to hear from them. As it stands I think your complaint boils down to the lack of server-side invalidation of a session. Most everything else flows from that. I'm not sure that there's a shared nothing way to take care of that, but the crypto experts would know for sure. Please do investigate having someone conduct a review. -- Cheers Koz --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Core" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/rubyonrails-core?hl=en -~----------~----~----~----~------~----~------~--~---
