Re: Camping 2.0 - What's left?

2008-05-26 Thread Aníbal Rojas
Me neither ;-) And talking about instructions, the Wiki will need a Extreme Make Over to catch up with the code. -- Aníbal On Tue, May 27, 2008 at 1:11 AM, Bluebie, Jenna [EMAIL PROTECTED] wrote: Yeah, I suppose that's reasonable.. the timestamp even on The Camping Server and stuff would

Re: Camping 2.0 - What's left?

2008-05-25 Thread Bluebie, Jenna
I forgot to mention though, the signing just stops users from changing the session data without the server knowing, it doesn't stop them from reading it. Any data in the session when using the cookie sessions store only needs to be base64 decoded and unmarshaled with ruby to find out

Re: Camping 2.0 - What's left?

2008-05-25 Thread Magnus Holm
You're absolutely right. Not anymore, though. I fixed in my cs-branch. Now it will save the data in three cookies: camping_blob, camping_hash and camping_time. The secure_blob_hasher includes the remote IP and the user agent, and it has also a timeout on 15 minutes (which can be overridden with

Re: Camping 2.0 - What's left?

2008-05-25 Thread Magnus Holm
So there isn't really any way to be safe against XSS and at the same time support all users? Then ignore my patch, and we should just make it clear that the data is in clear-text within the cookie and you must be very careful with validating the input. On Sun, May 25, 2008 at 3:04 PM, Bluebie,

Re: Camping 2.0 - What's left?

2008-05-25 Thread Julian Tarkhanov
On 25 mei 2008, at 00:25, Magnus Holm wrote: * insert your wish * Are deeply nested query arguments and tricky bits like checkbox arrays/param arrays handled properly (and in a Camping-compatible manner, AFAIK in Camping the first parameter wins as opposed to Rails) by Rack? What happens

Re: Camping 2.0 - What's left?

2008-05-25 Thread Magnus Holm
On Sun, May 25, 2008 at 4:25 PM, Julian Tarkhanov [EMAIL PROTECTED] wrote: On 25 mei 2008, at 00:25, Magnus Holm wrote: * insert your wish * Are deeply nested query arguments and tricky bits like checkbox arrays/param arrays handled properly (and in a Camping-compatible manner, AFAIK in

Re: Camping 2.0 - What's left?

2008-05-25 Thread Aria Stewart
On Sat, 2008-05-24 at 22:43 -0500, _why wrote: On Sun, May 25, 2008 at 12:25:08AM +0200, Magnus Holm wrote: * The cookie session is named Camping::Session and is placed in camping/session.rb. Maybe this should be called Camping::CookieSession or??? You know, these cookie sessions seem like

Re: Camping 2.0 - What's left?

2008-05-25 Thread _why
On Sun, May 25, 2008 at 02:45:15PM +0200, Magnus Holm wrote: You're absolutely right. Not anymore, though. I fixed in my cs-branch. Now it will save the data in three cookies: camping_blob, camping_hash and camping_time. The secure_blob_hasher includes the remote IP and the user agent, and it

Re: Camping 2.0 - What's left?

2008-05-25 Thread Aníbal Rojas
Agreed all the previous stuff... The reason nobody can ever spoof a session is that they can never generate the needed hash because they don't have the @@state_secret piece of text needed to do so, hopefully! This presents a challenge for open source. We really need to raise an error if

Camping 2.0 - What's left?

2008-05-24 Thread Magnus Holm
I've just sent a pull-request to _why with my changes[1] and here is some things that I think needs to be done before a (possible) release: * The cookie session is named Camping::Session and is placed in camping/session.rb. Maybe this should be called Camping::CookieSession or??? * The

Re: Camping 2.0 - What's left?

2008-05-24 Thread _why
On Sun, May 25, 2008 at 12:25:08AM +0200, Magnus Holm wrote: I've just sent a pull-request to _why with my changes[1] and here is some things that I think needs to be done before a (possible) release: It's been merged, great work, Magnus. I'm not quite to the point of addressing all of your

Re: Camping 2.0 - What's left?

2008-05-24 Thread _why
On Sun, May 25, 2008 at 12:25:08AM +0200, Magnus Holm wrote: * The cookie session is named Camping::Session and is placed in camping/session.rb. Maybe this should be called Camping::CookieSession or??? You know, these cookie sessions seem like they could be a problem. A lot of sessions would