How about just NOT changing the default setting to this less secure option? Problem solved.
On 3/29/07, Isak Hansen <[EMAIL PROTECTED]> wrote: > > On 3/21/07, S. Robert James <[EMAIL PROTECTED]> wrote: > > > > I'm concerned about the possibility of replay attacks with cookie > > sessions. This is a standard security issue. > > > > Just adding my $0.02: > > I like the shared-nothing cookie store as an option, for > performance/scalability reasons. Just document the vulnerability to > replay attacks and maybe add a timestamp to limit how long the cookie > remains valid. > > The nonce thing adds a lot of complexity, and if you need to hit > shared storage anyway there's just no point. As far as I'm concerned, > updating a nounce or the actual session data has similar overhead. > > > I'd prefer a db backed session store replacing the current default. > Ideally it would be automatically created, indexed and purged of stale > data. > > > Isak > > > > --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Core" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/rubyonrails-core?hl=en -~----------~----~----~----~------~----~------~--~---
