On Jul 29, 3:49 pm, 7stud -- <[email protected]> wrote: > "Ruby on Rails 3 Tutorial" says, > Which ruby on rails tutorial ? There are many ...
> == > This session object makes the user id available from page to page by > storing it in a cookie that expires upon browser close... > Because of the way Rails handles sessions this process is secure; if a > malicious user tries to spoof the user id, Rails will detect a mismatch > based on a special session id generated for each session. > == > > Okay, so the spoofer can guess a user id, e.g. 1, and create a cookie > with that id, but when he logs into the app, rails will give the spoofer > his own session id, and the [spoofer_session_id, user_id] will not be a > pairing that Rails allows. Another important thing is that the data in the session store is cryptographically signed - if you tamper with the cookie data then it won't match the signature in the coookie > > Whoa. What happens in this scenario: user logs in and rails stores a > permanent, impossible to guess token with a timestamp in a cookie on the > user's computer. > The user goes on vacation for two weeks. While the user is on vacation, > the malicious user gains access to the user's computer and inspects the > cookies on the user's computer, > and copies the token plus timestamp. The malicious user goes to his > computer, creates a cookie with the copied token, and logs into the app. > Won't the malicious user have free access to the user's account? When > the malicious user logs out of the user's account, won't rails store a > token with a timestamp on the malicious user's computer? In fact won't > the real user find it impossible to access his account when he gets back > from > vacation because his timestamp will no longer be valid? Again guessing because I don't know which tutorial you are talking about, but I believe the pattern being discussed is one where whenever the user logs in then the permanent token is replaced (and so any old/ previously stolen tokens stop working). So you can still steal browser cookies but they will only be useful until the user next logs in. If the user's token is invalid then they can sign in using their username and password. Fred -- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en.
