Cookie Sessions in Merb?
ez at engineyard.com
Fri Aug 17 13:38:43 EDT 2007
Yeah I'd be interested in a cookie store. But th security concerns are
valid so we would need to investigate thouroughly
Sent from my iPhone
On Aug 17, 2007, at 10:08 AM, "ry dahl" <ry at tinyclouds.org> wrote:
> I like the cookie sessions that Rails edge has - they make sense,
> they're fast, easy.
> For those that don't know: the default session mechanism is to give
> developers a Hash called session. To store this object between
> requests it Marshals the session object and sends the object itself
> (now as a bitstream) back to clients to store in their cookie file. To
> prevent users from tampering with this data, a cryptographic digest
> (using HMAC with SHA-1) is sent along with the bitstream).
> The major problem with this scheme is that the Marshalled data is not
> at all encrypted! Users are free to unmarshal and examine what
> websites are storing in their sessions. They cannot change the data,
> but nevertheless this is a security problem!
> The answers given by the rails developers sound rather naïve:
>> This is getting into very difficult crypto. Basically, depending on
>> the cipher, there
>> may be cases where you can change one part of the text without
>> changing the other.
> Not that I know much about cryptography, but I'm almost certain that
> modifying AES encrypted Marshaled data is quite tamper proof. If not,
> one could at least send a digest along with it.
> There has been some mention of the extra AES operation slowing down
> speed (but it's been said it's not much of a slowdown), I think having
> secure cookies would be well worth the cost.
> Is there interest in this type of session for Merb?
> Related: I've just wrote a CookieJar class - perhaps it would be
> useful for Merb?
> Merb-devel mailing list
> Merb-devel at rubyforge.org
More information about the Merb-devel