On Mar 26, 7:40 pm, Brad Ediger <[EMAIL PROTECTED]> wrote:
> How, exactly, would you model the login session so as to be immune to
> replay attacks with shared-nothing on the server side?
Use a server side session store, not a client side one.
> I do have a bigger problem with your statement that "If you haven't
> modelled the functionality, then you can't expect to use it." It is
> the job of the framework to give developers functionality that they
> don't have to model. Otherwise Rails would just punt and say "Here's
> how you set and read a cookie. If you want to use sessions, model
> them yourself."
Why not go the whole hog and provide us with a default fifteen level
login system with access control lists?
The issue is where the framework ends and the application begins. A
Rails app that just uses the flash and a setting to determine whether
to show the welcome page doesn't need nonces and anti-replay devices.
Perhaps the first job is to step back a little and ask how much you
*really* should stuff into session. What is the job of that little
semi-persistent-hash?
NeilW
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups "Ruby
on Rails: Core" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to [EMAIL PROTECTED]
For more options, visit this group at
http://groups.google.com/group/rubyonrails-core?hl=en
-~----------~----~----~----~------~----~------~--~---
