On Jul 29, 8:07 pm, 7stud -- <[email protected]> wrote: > Walter Davis wrote in post #1013792: > > > The only way we have determined that this is possible is with physical > > access to the computer. > > Are you saying that the malicious user can only gain access to the > user's account while using the user's computer? Or, is it true that > once the malicious user has a copy of the cookie, he can access the > account from any computer? > In the scheme you've outlined, I think it would work from any computer. It could be extended though. I once implemented a scheme whereby the ip address was part of the cryptographically signed info so that the persistent cookie was valid only from that ip address (obviously this has some limitations/problems too)
Frdd > > As in any security scheme, that pretty well > > trumps anything that doesn't rely on the user logging in every time, > > and time-limited sessions. > > I wasn't critiquing rails, I was trying to understand why the author of > the book said the persistent session was impervious to attack--after > himself raising the specter of a malicious user gaining access to the > user's computer. His explanation didn't make sense to me. > > -- > Posted viahttp://www.ruby-forum.com/. -- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en.
