I understand that the new CookieSessions use encryption to secure the
data inside the cookie. The +secret+ that is default defined in
config.action_controller.session in the environment.rb appears to be a
hexidemical key. A few questions regarding this:
1) Is the +secret+ converted from a hex string to a binary key?
2) Can I use any characters in the key
3) What key lengths can I use?
Also, a couple questions about the encryption algorithm:
1) What encryption algorithm is used.
2) What mode is the encryption algorithm operating in (eg. CBC,
stream, etc.)
One final question: Is the CookieSession attached to the user''s IP
address in any way within the ActionController, or is this left to the
developer? (To prevent against a replay attack)
--
Travis
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Core" group.
To post to this group, send email to rubyonrails-core@googlegroups.com
To unsubscribe from this group, send email to
rubyonrails-core-unsubscribe@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/rubyonrails-core?hl=en
-~----------~----~----~----~------~----~------~--~---
On Dec 18, 2007, at 5:35 PM, tekwiz wrote:> I understand that the new CookieSessions use encryption to secure the > data inside the cookie. The +secret+ that is default defined in > config.action_controller.session in the environment.rb appears to be a > hexidemical key. A few questions regarding this: > > 1) Is the +secret+ converted from a hex string to a binary key? > 2) Can I use any characters in the key > 3) What key lengths can I use? > > Also, a couple questions about the encryption algorithm: > > 1) What encryption algorithm is used. > 2) What mode is the encryption algorithm operating in (eg. CBC, > stream, etc.) > > One final question: Is the CookieSession attached to the user''s IP > address in any way within the ActionController, or is this left to the > developer? (To prevent against a replay attack) > > -- > TravisTravis, This list is for discussion of development of Rails itself. Questions about using Rails should go to the rubyonrails-talk list. I can''t tell if you are proposing changing any of those things - if you are, this is the right place. If you are just trying to get information on how this works, the -talk list is the place to go. -- Josh Susser http://blog.hasmanythrough.com --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Core" group. To post to this group, send email to rubyonrails-core@googlegroups.com To unsubscribe from this group, send email to rubyonrails-core-unsubscribe@googlegroups.com For more options, visit this group at http://groups.google.com/group/rubyonrails-core?hl=en -~----------~----~----~----~------~----~------~--~---
Josh,
My apologies. I have posted to the Talk list.
Thanks for pointing me in the right direction.
--
Travis
On Dec 18, 8:04 pm, Josh Susser <j...@hasmanythrough.com> wrote:
> This list is for discussion of development of Rails itself. Questions
> about using Rails should go to the rubyonrails-talk list. I can''t
> tell if you are proposing changing any of those things - if you are,
> this is the right place. If you are just trying to get information on
> how this works, the -talk list is the place to go.
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Core" group.
To post to this group, send email to rubyonrails-core@googlegroups.com
To unsubscribe from this group, send email to
rubyonrails-core-unsubscribe@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/rubyonrails-core?hl=en
-~----------~----~----~----~------~----~------~--~---