How, exactly, would you model the login session so as to be immune to replay attacks with shared-nothing on the server side?
session[:user_id] is perfectly safe with a server-side session. It is not with a client-side session. User session expiration has almost nothing to do with this discussion. Expiring user sessions doesn't prevent sessions from being replayed during the validity period. And there's no way to expire user sessions with only a client cookie. We're looking first for a general solution. I do have a bigger problem with your statement that "If you haven't modelled the functionality, then you can't expect to use it." It is the job of the framework to give developers functionality that they don't have to model. Otherwise Rails would just punt and say "Here's how you set and read a cookie. If you want to use sessions, model them yourself." On Mar 26, 2007, at 1:27 PM, Neil Wilson wrote: > > Perhaps that is your problem. You haven't modelled the login session > properly in Rails. > > There seems to be an assumption that 'session' handles all this > automatically, when in reality it is nothing more than a fancy hash. > > A login session exists at a point in time for a particular period of > time. It should expire. It is related to a particular user ID (and > possibly a browser/IP sequence) and a particular set of transaction > sequences. You don't get that with 'session' - you have to model it > properly. If you haven't modelled the functionality, then you can't > expect to use it. > > I suspect the name 'session' is the problem. It's an overloaded > concept with a load of built-in expectations. However > 'semi_persistent_hash' isn't anywhere as easy to type. > > NeilW > > On Mar 22, 3:44 pm, Brad Ediger <[EMAIL PROTECTED]> wrote: >> I can't come up with an >> attack other than the replay attack, but that "I am logged in as Joe >> User" message seems too general to make me feel completely >> comfortable about authentication via cookie sessions for the time >> being. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Core" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/rubyonrails-core?hl=en -~----------~----~----~----~------~----~------~--~---
