Hi,
Has there been any sort of “official” response to G.S. McNamara's recent blog post “Logout is broken by default in Ruby on Rails web applications<http://maverickblogging.com/logout-is-broken-by-default-ruby-on-rails-web-applications/>” (also see the discussion on Hacker News<https://news.ycombinator.com/item?id=6545923> )? The TL;DR is: Ruby on Rails Web applications versions 2.0 through 4.0 are by default > vulnerable to an oft-overlooked Web application security issue: Session > cookies are valid for life. The fix is to configure your Rails app to store > most session information on the server side in the database. Should this receive more attention in the Rails Guides, or maybe there should be a post on the Riding Rails blog explaining what the view of the Rails core team is on this matter (and the reasoning behind it)? I know that there's little that can be done about this on the code side of things without changing away from using CookieStore as the default session storage mechanism… Best regards, Matias Korhonen -- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Core" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at http://groups.google.com/group/rubyonrails-core. For more options, visit https://groups.google.com/groups/opt_out.
