On 3/21/07, S. Robert James <[EMAIL PROTECTED]> wrote: > > I'm concerned about the possibility of replay attacks with cookie > sessions. This is a standard security issue. >
Just adding my $0.02: I like the shared-nothing cookie store as an option, for performance/scalability reasons. Just document the vulnerability to replay attacks and maybe add a timestamp to limit how long the cookie remains valid. The nonce thing adds a lot of complexity, and if you need to hit shared storage anyway there's just no point. As far as I'm concerned, updating a nounce or the actual session data has similar overhead. I'd prefer a db backed session store replacing the current default. Ideally it would be automatically created, indexed and purged of stale data. Isak --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Core" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/rubyonrails-core?hl=en -~----------~----~----~----~------~----~------~--~---
