Good points. I worked up a quick plugin that uses DRb to store the nonce, and I'm doing some benchmarks on it now. I don't have time for anything fancy, but we can at least get in the ballpark.
Or, to put it in Zed's terms, we'll just run it 100 times each way and compare the numbers. :-) <ducks> On Mar 23, 2007, at 10:31 AM, Jeremy Kemper wrote: > > On 3/22/07, Brad Ediger <[EMAIL PROTECTED]> wrote: >> On Mar 22, 2007, at 7:27 PM, Jeremy Kemper wrote: >>> Avoiding a single database lookup isn't the purpose of the cookie >>> store. >> >> Sure, but you do remove a lot of the glamour of the cookie store if >> it has to be tied to a database for a nonce lookup anyway. > > Smudge her mascara a little; she's still sexy in the morning. > > I already User.find(session[:user_id]) per request, so perhaps my > expectations are different from yours. > > >>> This discussion skipped plugging the session replay hole. I >>> understand >>> your concern, but I think you underestimate the average Rails >>> developer. >> >> I might be over-concerned here, but I'm not talking about the average >> Rails developer. I'm talking about the worst ones. I can tell you >> that while the average Rails developer I've worked with would >> certainly be able to understand this and work around it, I'm not sure >> that the worst ones would even understand what the issue was if it >> were explained to them. > > I don't think you're over-concerned. However, attempts to find a > solution are not argument that session replay isn't a problem. > > >>> For example: to prevent user_id replay, store a last access >>> timestamp >>> in session that's updated on login and logout. >> >> If I understand you correctly, you would also keep a copy of the >> latest timestamp server-side. I would submit that for many >> developers, storing a timestamp for each session on the server is not >> much more attractive than just storing the whole session on the >> server. > > Let's talk about practical fixes rather than whether we should write > it off entirely. > > An application-level solution to user_id replay: > > Per request: > @current_user = > User.find_by_id_and_last_seen_at(session[:user_id], > session[:last_seen_at]) > > On login: > @current_user.update_attribute :last_seen_at, Time.now > session[:user_id] = @current_user.id > session[:last_seen_at] = @current_user.last_seen_at > > On logout: > @current_user.update_attribute :last_seen_at, Time.now > reset_session > > This requires one additional database query on logout to invalidate > future reuse of that session and no additional per-request queries. > > Anyone care to try a generic, automatic nonce and benchmark the > results? > > jeremy > > > --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Core" group. To post to this group, send email to rubyonrails-core@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/rubyonrails-core?hl=en -~----------~----~----~----~------~----~------~--~---
