Re: Sample Code, quick simple openid auth
How does encrypting them make any difference against steal-ability? Wouldn't putting the IP address of the user be more to the point? Though that would lock out many user's from ISP's using proxies. I'm certainly aware of XSS issues and even posted a simple way of blocking them in camping controllers which you'll find 3 replies ago. Encrypting cookies wont change that issue one bit. On 20/05/2008, at 7:01 PM, Magnus Holm wrote: Cookies can be stealt. I'm protecting you against yourself :-P 2008/5/20, Bluebie, Jenna <[EMAIL PROTECTED]>: Sure, but if you're building an app that keeps secrets about me from me, I'd rather not use it, thank you. On 20/05/2008, at 6:01 PM, Magnus Holm wrote: Everyone can read their session, though. I can post an example which encrypts everything (don't expect it to be super-fast). On Tue, May 20, 2008 at 7:30 AM, Bluebie, Jenna <[EMAIL PROTECTED] wrote: Also, here's a simple way to stop XSS dead! http://code.whytheluckystiff.net/camping/wiki/XssBeGoneWithSessions — Jenna "is hoping all this will earn here some oats!" Fox ___ Camping-list mailing list Camping-list@rubyforge.org http://rubyforge.org/mailman/listinfo/camping-list -- Magnus Holm ___ Camping-list mailing list Camping-list@rubyforge.org http://rubyforge.org/mailman/listinfo/camping-list -- Magnus Holm ___ Camping-list mailing list Camping-list@rubyforge.org http://rubyforge.org/mailman/listinfo/camping-list ___ Camping-list mailing list Camping-list@rubyforge.org http://rubyforge.org/mailman/listinfo/camping-list
Re: Sample Code, quick simple openid auth
Cookies can be stealt. I'm protecting you against yourself :-P 2008/5/20, Bluebie, Jenna <[EMAIL PROTECTED]>: > Sure, but if you're building an app that keeps secrets about me from > me, I'd rather not use it, thank you. > > > On 20/05/2008, at 6:01 PM, Magnus Holm wrote: > >> Everyone can read their session, though. I can post an example which >> encrypts everything (don't expect it to be super-fast). >> >> On Tue, May 20, 2008 at 7:30 AM, Bluebie, Jenna >> <[EMAIL PROTECTED] >> > wrote: >> Also, here's a simple way to stop XSS dead! >> http://code.whytheluckystiff.net/camping/wiki/XssBeGoneWithSessions >> >> — >> Jenna "is hoping all this will earn here some oats!" Fox >> >> ___ >> Camping-list mailing list >> Camping-list@rubyforge.org >> http://rubyforge.org/mailman/listinfo/camping-list >> >> >> >> -- >> Magnus Holm ___ >> Camping-list mailing list >> Camping-list@rubyforge.org >> http://rubyforge.org/mailman/listinfo/camping-list > > -- Magnus Holm ___ Camping-list mailing list Camping-list@rubyforge.org http://rubyforge.org/mailman/listinfo/camping-list
Re: Sample Code, quick simple openid auth
Sure, but if you're building an app that keeps secrets about me from me, I'd rather not use it, thank you. On 20/05/2008, at 6:01 PM, Magnus Holm wrote: Everyone can read their session, though. I can post an example which encrypts everything (don't expect it to be super-fast). On Tue, May 20, 2008 at 7:30 AM, Bluebie, Jenna <[EMAIL PROTECTED] > wrote: Also, here's a simple way to stop XSS dead! http://code.whytheluckystiff.net/camping/wiki/XssBeGoneWithSessions — Jenna "is hoping all this will earn here some oats!" Fox ___ Camping-list mailing list Camping-list@rubyforge.org http://rubyforge.org/mailman/listinfo/camping-list -- Magnus Holm ___ Camping-list mailing list Camping-list@rubyforge.org http://rubyforge.org/mailman/listinfo/camping-list ___ Camping-list mailing list Camping-list@rubyforge.org http://rubyforge.org/mailman/listinfo/camping-list
Re: Sample Code, quick simple openid auth
Everyone can read their session, though. I can post an example which encrypts everything (don't expect it to be super-fast). On Tue, May 20, 2008 at 7:30 AM, Bluebie, Jenna <[EMAIL PROTECTED]> wrote: > Also, here's a simple way to stop XSS dead! > http://code.whytheluckystiff.net/camping/wiki/XssBeGoneWithSessions > > — > Jenna "is hoping all this will earn here some oats!" Fox > > ___ > Camping-list mailing list > Camping-list@rubyforge.org > http://rubyforge.org/mailman/listinfo/camping-list > -- Magnus Holm ___ Camping-list mailing list Camping-list@rubyforge.org http://rubyforge.org/mailman/listinfo/camping-list
Re: Sample Code, quick simple openid auth
Also, here's a simple way to stop XSS dead! http://code.whytheluckystiff.net/camping/wiki/XssBeGoneWithSessions — Jenna “is hoping all this will earn here some oats!” Fox ___ Camping-list mailing list Camping-list@rubyforge.org http://rubyforge.org/mailman/listinfo/camping-list
Re: Sample Code, quick simple openid auth
Okay, so I cleaned this up a little, made it suck less when using it in CGI camping, and put it on the wiki (which should really support OpenID! I had to register a RubyForge account and had all problems getting the account activated to contribute! Darn you ruby forge!) So here it is, OpenID on Wiki! http://code.whytheluckystiff.net/camping/wiki/AuthenticatingOpenIDs Also, check out Cookie Sessions! http://code.whytheluckystiff.net/camping/wiki/CookieSessions They're hip, they're new, they're slightly worrying but if you think about it secure anyway, and they don't mess up your database or filesystem with a bunch of files! ___ Camping-list mailing list Camping-list@rubyforge.org http://rubyforge.org/mailman/listinfo/camping-list
Sample Code, quick simple openid auth
You'll need to install the 'openid' gem for this, and require it in
your camping app:
class Login < R '/login'
def get
this_url = 'http:' + URL('/login').to_s
unless input.finish.to_s == '1'
# start doing the auth here
begin
oid_request = OpenID::Consumer.new(@state,
nil).begin(input.openid_identity)
oid_request.return_to_args['finish'] = '1'
redirect(oid_request.redirect_url('http:' +
URL('/').to_s, this_url))
rescue OpenID::DiscoveryFailure
return 'Couldn\'t find an OpenID at that address, are you
sure it is one?'
end
else
# finish the auth here
response = OpenID::Consumer.new(@state,
nil).complete(input, this_url)
case response.status
when OpenID::Consumer::SUCCESS
@state.identity = response.identity_url.to_s
return redirect(R(HomeScreen))
when OpenID::Consumer::FAILURE
'The OpenID thing doesn\'t think you really are that
person, they said: ' + response.message
end
end
end
end
Then just point a form at /login with an input by the name of
openid_identifier, and you have yourself some auth! It will set
@state.identity to their OpenID URL. Using this you can auth people
with existing aol, lifejournal, yahoo accounts, and a lot of littler
openid provider's too. It could sure use some upgrades in the error
reporting department, which you could hook up to your own error pages
or whatever. I'll be using this in an app which doesn't use any
relational databases, just file system storage. You'll probably want
to change the 'return redirect(R(HomeScreen))' line near the end to
some page in your app that logged in user's go to before you take this
online too. :)
Public Domain.
–
Jenna___
Camping-list mailing list
Camping-list@rubyforge.org
http://rubyforge.org/mailman/listinfo/camping-list
