Camping 2.0 - What's left?
Bluebie, Jenna
blueberry at creativepony.com
Sun May 25 02:02:37 EDT 2008
I forgot to mention though, the signing just stops users from changing
the session data without the server knowing, it doesn't stop them from
reading it. Any data in the session when using the cookie sessions
store only needs to be base64 decoded and unmarshaled with ruby to
find out what's inside. As far as i'm concerned, any app that's
keeping secrets from me about me is not the kind of app I want to be
using anyway.
On 25/05/2008, at 1:43 PM, _why wrote:
> On Sun, May 25, 2008 at 12:25:08AM +0200, Magnus Holm wrote:
>> * The cookie session is named Camping::Session and is placed in
>> camping/session.rb. Maybe this should be called
>> Camping::CookieSession or???
>
> You know, these cookie sessions seem like they could be a problem.
> A lot of sessions would contain just the hash and the user name.
> So, spoof the user name and you're in, you know?
>
> _why
> _______________________________________________
> Camping-list mailing list
> Camping-list at rubyforge.org
> http://rubyforge.org/mailman/listinfo/camping-list
More information about the Camping-list
mailing list