Hi,
Has there been any sort of “official” response to G.S. McNamara's recent
blog post “Logout is broken by default in Ruby on Rails web
applicationshttp://maverickblogging.com/logout-is-broken-by-default-ruby-on-rails-web-applications/”
(also see the discussion on Hacker
(I believe) it already is:
http://guides.rubyonrails.org/security.html#session-fixation
--
You received this message because you are subscribed to the Google Groups Ruby
on Rails: Core group.
To unsubscribe from this group and stop receiving emails from it, send an email
to
On Oct 14, 2013, at 11:28 AM, Steve Klabnik wrote:
(I believe) it already is:
http://guides.rubyonrails.org/security.html#session-fixation
The new article is about a different scenario - namely that the CookieStore
doesn't include any kind of invalidation mechanism by default.
Short
Isn't this a common problem with every other framework that uses cookies
for sessions? I find it a bit hard on Rails given that point.
I remember doing some successful tests on Facebook (PHP) with FireSheep,
and I believe (please tell me if I'm wrong) that it gets fixed by using SSL
to prevent
On 14/10/2013, at 11:13 PM, Matias Korhonen korhonen.m...@gmail.com wrote:
Hi,
Has there been any sort of “official” response to G.S. McNamara's recent blog
post “Logout is broken by default in Ruby on Rails web applications” (also
see the discussion on Hacker News)?
The TL;DR is: