Cookie Sessions in Merb?

Ezra Zygmuntowicz ez at engineyard.com
Fri Aug 17 13:38:43 EDT 2007


Yeah I'd be interested in a cookie store. But th security concerns are  
valid so we would need to investigate thouroughly

Ezra

Sent from my iPhone

On Aug 17, 2007, at 10:08 AM, "ry dahl" <ry at tinyclouds.org> wrote:

> I like the cookie sessions that Rails edge has - they make sense,
> they're fast, easy.
>
> For those that don't know: the default session mechanism is to give
> developers a Hash called session. To store this object between
> requests it Marshals the session object and sends the object itself
> (now as a bitstream) back to clients to store in their cookie file. To
> prevent users from tampering with this data, a cryptographic digest
> (using HMAC with SHA-1) is sent along with the bitstream).
>
> The major problem with this scheme is that the Marshalled data is not
> at all encrypted! Users are free to unmarshal and examine what
> websites are storing in their sessions. They cannot change the data,
> but nevertheless this is a security problem!
>
> The answers given by the rails developers sound rather naïve:
>> This is getting into very difficult crypto. Basically, depending on  
>> the cipher, there
>> may be cases where you can change one part of the text without  
>> changing the other.
> Not that I know much about cryptography, but I'm almost certain that
> modifying AES encrypted Marshaled data is quite tamper proof. If not,
> one could at least send a digest along with it.
>
> There has been some mention of the extra AES operation slowing down
> speed (but it's been said it's not much of a slowdown), I think having
> secure cookies would be well worth the cost.
>
> Is there interest in this type of session for Merb?
> Related: I've just wrote a CookieJar class - perhaps it would be
> useful for Merb?
> http://rubyforge.org/pipermail/mongrel-users/2007-August/003890.html
>
> ry
> _______________________________________________
> Merb-devel mailing list
> Merb-devel at rubyforge.org
> http://rubyforge.org/mailman/listinfo/merb-devel


More information about the Merb-devel mailing list