[Rails-core] Re: Replay attacks with cookie session

[S. Robert James]

On Mar 22, 11:42 pm, "Michael Koziarski" <[EMAIL PROTECTED]>
wrote:
> If you'd like to coordinate this, I'd definitely be glad to hear from
> them.  As it stands I think your complaint boils down to the lack of
> server-side invalidation of a session.  Most everything else flows
> from that.  I'm not sure that there's a shared nothing way to take
> care of that, but the crypto experts would know for sure.
>
> Please do investigate having someone conduct a review.

To get started, here's a good link on the concept of replay attacks
and nonces:
http://www.openidenabled.com/openid/replay-attack-prevention

And here's a nonce implementation by Sam Ruby (not a crypto expert by
any means, but a smart Ruby dev for sure - the implementation is in
Python, though):
http://www.intertwingly.net/blog/1585.html


--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups "Ruby 
on Rails: Core" group.
To post to this group, send email to rubyonrails-core@googlegroups.com
To unsubscribe from this group, send email to [EMAIL PROTECTED]
For more options, visit this group at 
http://groups.google.com/group/rubyonrails-core?hl=en
-~----------~----~----~----~------~----~------~--~---