search for: generate_unique_id

...to survive the first redirect. I added the following code to environment.rb, based on Ryan''s (http://www.ryandaigle.com/) note: config.action_controller.session = { :session_key => ''_<%= app_name %>_session'', :secret => ''<%= CGI::Session.generate_unique_id(app_name) %>'' } The problem is probably related to the fact that the embedded ruby is not getting processed. The generated cookie is NAME: _<% VALUE app_name %>_session... What am I missing? (I''m in dev mode, btw). TIA, Keith -- Posted via http://www.ruby-forum.com/...

Aside from the replay attacks discussed, there are some other attack vectors on the cookie_session store. I appreciate (and admire!) Jeremy''s good humor on all of this: > Planting the seed here led to quick ripening and plenty of pesticide. > Thanks for the fish, all. > > jeremy Anyway, here''s what we came up with: 1. Brute Force SHA512 can be computed _very_ fast.