Perhaps that is your problem. You haven't modelled the login session properly in Rails.
There seems to be an assumption that 'session' handles all this automatically, when in reality it is nothing more than a fancy hash. A login session exists at a point in time for a particular period of time. It should expire. It is related to a particular user ID (and possibly a browser/IP sequence) and a particular set of transaction sequences. You don't get that with 'session' - you have to model it properly. If you haven't modelled the functionality, then you can't expect to use it. I suspect the name 'session' is the problem. It's an overloaded concept with a load of built-in expectations. However 'semi_persistent_hash' isn't anywhere as easy to type. NeilW On Mar 22, 3:44 pm, Brad Ediger <[EMAIL PROTECTED]> wrote: > I can't come up with an > attack other than the replay attack, but that "I am logged in as Joe > User" message seems too general to make me feel completely > comfortable about authentication via cookie sessions for the time being. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Core" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/rubyonrails-core?hl=en -~----------~----~----~----~------~----~------~--~---
