On Jul 29, 10:49 am, 7stud -- <[email protected]> wrote: > The user goes on vacation for two weeks. While the user is on vacation, > the malicious user gains access to the user's computer and inspects the > cookies on the user's computer, > and copies the token plus timestamp. The malicious user goes to his > computer, creates a cookie with the copied token, and logs into the app. > Won't the malicious user have free access to the user's account?
Sure, but at this point the user is pretty throughly pwned anyways - there's no system that will protect the login here, short of ditching the whole "persistent login" part and requiring the user to re- autheticate on each visit. --Matt Jones -- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en.
