On Jul 29, 2011, at 3:07 PM, 7stud -- wrote:
Walter Davis wrote in post #1013792:
The only way we have determined that this is possible is with
physical
access to the computer.
Are you saying that the malicious user can only gain access to the
user's account while using the user's computer? Or, is it true that
once the malicious user has a copy of the cookie, he can access the
account from any computer?
As in any security scheme, that pretty well
trumps anything that doesn't rely on the user logging in every time,
and time-limited sessions.
I wasn't critiquing rails, I was trying to understand why the author
of
the book said the persistent session was impervious to attack--after
himself raising the specter of a malicious user gaining access to the
user's computer. His explanation didn't make sense to me.
In answer to both of your questions, I was saying that physical access
to a computer where the user has checked the "remember me" option
completely trumps the security system. The computer becomes the key to
the lock, so if you steal that key... Which is another good reason to
always include a password lock on your screensaver, and disable any
auto-login convenience features. Especially on a laptop, but even on a
desktop that isn't in a locked room.
As far as a copy of the cookie being useful, I'm not sure I can
comment. I think that it would work up until the point where the real
user logged in again, and the fact that the user *had* to log in again
might worry/alert a suitably clueful user that their remember me
cookie had changed. But I can't say definitively, because I don't know
what all goes into the cryptographic signature of the remember me
cookie. If it's something based on the individual browser, then it
seems likely to me that it might fail on a different browser.
Walter
--
Posted via http://www.ruby-forum.com/.
--
You received this message because you are subscribed to the Google
Groups "Ruby on Rails: Talk" group.
To post to this group, send email to rubyonrails-
[email protected].
To unsubscribe from this group, send email to [email protected]
.
For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en
.
--
You received this message because you are subscribed to the Google Groups "Ruby on
Rails: Talk" group.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to
[email protected].
For more options, visit this group at
http://groups.google.com/group/rubyonrails-talk?hl=en.
