Re: Sample Code, quick simple openid auth
How does encrypting them make any difference against steal-ability? Wouldn't putting the IP address of the user be more to the point? Though that would lock out many user's from ISP's using proxies. I'm certainly aware of XSS issues and even posted a simple way of blocking them in camping controllers which you'll find 3 replies ago. Encrypting cookies wont change that issue one bit. On 20/05/2008, at 7:01 PM, Magnus Holm wrote: Cookies can be stealt. I'm protecting you against yourself :-P 2008/5/20, Bluebie, Jenna <[EMAIL PROTECTED]>: Sure, but if you're building an app that keeps secrets about me from me, I'd rather not use it, thank you. On 20/05/2008, at 6:01 PM, Magnus Holm wrote: Everyone can read their session, though. I can post an example which encrypts everything (don't expect it to be super-fast). On Tue, May 20, 2008 at 7:30 AM, Bluebie, Jenna <[EMAIL PROTECTED] wrote: Also, here's a simple way to stop XSS dead! http://code.whytheluckystiff.net/camping/wiki/XssBeGoneWithSessions — Jenna "is hoping all this will earn here some oats!" Fox ___ Camping-list mailing list Camping-list@rubyforge.org http://rubyforge.org/mailman/listinfo/camping-list -- Magnus Holm ___ Camping-list mailing list Camping-list@rubyforge.org http://rubyforge.org/mailman/listinfo/camping-list -- Magnus Holm ___ Camping-list mailing list Camping-list@rubyforge.org http://rubyforge.org/mailman/listinfo/camping-list ___ Camping-list mailing list Camping-list@rubyforge.org http://rubyforge.org/mailman/listinfo/camping-list
Re: Sample Code, quick simple openid auth
Cookies can be stealt. I'm protecting you against yourself :-P 2008/5/20, Bluebie, Jenna <[EMAIL PROTECTED]>: > Sure, but if you're building an app that keeps secrets about me from > me, I'd rather not use it, thank you. > > > On 20/05/2008, at 6:01 PM, Magnus Holm wrote: > >> Everyone can read their session, though. I can post an example which >> encrypts everything (don't expect it to be super-fast). >> >> On Tue, May 20, 2008 at 7:30 AM, Bluebie, Jenna >> <[EMAIL PROTECTED] >> > wrote: >> Also, here's a simple way to stop XSS dead! >> http://code.whytheluckystiff.net/camping/wiki/XssBeGoneWithSessions >> >> — >> Jenna "is hoping all this will earn here some oats!" Fox >> >> ___ >> Camping-list mailing list >> Camping-list@rubyforge.org >> http://rubyforge.org/mailman/listinfo/camping-list >> >> >> >> -- >> Magnus Holm ___ >> Camping-list mailing list >> Camping-list@rubyforge.org >> http://rubyforge.org/mailman/listinfo/camping-list > > -- Magnus Holm ___ Camping-list mailing list Camping-list@rubyforge.org http://rubyforge.org/mailman/listinfo/camping-list
Re: Sample Code, quick simple openid auth
Sure, but if you're building an app that keeps secrets about me from me, I'd rather not use it, thank you. On 20/05/2008, at 6:01 PM, Magnus Holm wrote: Everyone can read their session, though. I can post an example which encrypts everything (don't expect it to be super-fast). On Tue, May 20, 2008 at 7:30 AM, Bluebie, Jenna <[EMAIL PROTECTED] > wrote: Also, here's a simple way to stop XSS dead! http://code.whytheluckystiff.net/camping/wiki/XssBeGoneWithSessions — Jenna "is hoping all this will earn here some oats!" Fox ___ Camping-list mailing list Camping-list@rubyforge.org http://rubyforge.org/mailman/listinfo/camping-list -- Magnus Holm ___ Camping-list mailing list Camping-list@rubyforge.org http://rubyforge.org/mailman/listinfo/camping-list ___ Camping-list mailing list Camping-list@rubyforge.org http://rubyforge.org/mailman/listinfo/camping-list
Re: Sample Code, quick simple openid auth
Everyone can read their session, though. I can post an example which encrypts everything (don't expect it to be super-fast). On Tue, May 20, 2008 at 7:30 AM, Bluebie, Jenna <[EMAIL PROTECTED]> wrote: > Also, here's a simple way to stop XSS dead! > http://code.whytheluckystiff.net/camping/wiki/XssBeGoneWithSessions > > — > Jenna "is hoping all this will earn here some oats!" Fox > > ___ > Camping-list mailing list > Camping-list@rubyforge.org > http://rubyforge.org/mailman/listinfo/camping-list > -- Magnus Holm ___ Camping-list mailing list Camping-list@rubyforge.org http://rubyforge.org/mailman/listinfo/camping-list
Re: Sample Code, quick simple openid auth
Also, here's a simple way to stop XSS dead! http://code.whytheluckystiff.net/camping/wiki/XssBeGoneWithSessions — Jenna “is hoping all this will earn here some oats!” Fox ___ Camping-list mailing list Camping-list@rubyforge.org http://rubyforge.org/mailman/listinfo/camping-list
Re: Sample Code, quick simple openid auth
Okay, so I cleaned this up a little, made it suck less when using it in CGI camping, and put it on the wiki (which should really support OpenID! I had to register a RubyForge account and had all problems getting the account activated to contribute! Darn you ruby forge!) So here it is, OpenID on Wiki! http://code.whytheluckystiff.net/camping/wiki/AuthenticatingOpenIDs Also, check out Cookie Sessions! http://code.whytheluckystiff.net/camping/wiki/CookieSessions They're hip, they're new, they're slightly worrying but if you think about it secure anyway, and they don't mess up your database or filesystem with a bunch of files! ___ Camping-list mailing list Camping-list@rubyforge.org http://rubyforge.org/mailman/listinfo/camping-list
Sample Code, quick simple openid auth
You'll need to install the 'openid' gem for this, and require it in your camping app: class Login < R '/login' def get this_url = 'http:' + URL('/login').to_s unless input.finish.to_s == '1' # start doing the auth here begin oid_request = OpenID::Consumer.new(@state, nil).begin(input.openid_identity) oid_request.return_to_args['finish'] = '1' redirect(oid_request.redirect_url('http:' + URL('/').to_s, this_url)) rescue OpenID::DiscoveryFailure return 'Couldn\'t find an OpenID at that address, are you sure it is one?' end else # finish the auth here response = OpenID::Consumer.new(@state, nil).complete(input, this_url) case response.status when OpenID::Consumer::SUCCESS @state.identity = response.identity_url.to_s return redirect(R(HomeScreen)) when OpenID::Consumer::FAILURE 'The OpenID thing doesn\'t think you really are that person, they said: ' + response.message end end end end Then just point a form at /login with an input by the name of openid_identifier, and you have yourself some auth! It will set @state.identity to their OpenID URL. Using this you can auth people with existing aol, lifejournal, yahoo accounts, and a lot of littler openid provider's too. It could sure use some upgrades in the error reporting department, which you could hook up to your own error pages or whatever. I'll be using this in an app which doesn't use any relational databases, just file system storage. You'll probably want to change the 'return redirect(R(HomeScreen))' line near the end to some page in your app that logged in user's go to before you take this online too. :) Public Domain. – Jenna___ Camping-list mailing list Camping-list@rubyforge.org http://rubyforge.org/mailman/listinfo/camping-list