secure-action-plugin provides an easy to use interface for protecting your app against assumed logged in attacks. In an assumed logged in attack, a malicious site assumes the visitor is logged into your site. The malicious site manually crafts a URL to a destructive action on your site (change email, delete account, etc) and opens the URL to that action in a hidden iframe. The browser then sends the user’s cookies and actions may be performed on your user’s behalf without them ever knowing. This technique may be used to steal accounts, inject or delete account data, or perform other malicious actions. The plugin works by overriding ActionController.url_for and adding a signature of the user’s session_id and some salt to URL query strings. By adding a sig that includes the user’s session_id, it makes it impossible to for malicious sites to create URLs that will work on your site for anyone but themselves. The signature is verified before a secure action is executed. More info on the wiki page: http://wiki.rubyonrails.com/rails/pages/Secure+Action Plugin homepage: http://code.google.com/p/secure-action-plugin/ Cheers, Brian Ellin brian at janrain.com -- Posted via http://www.ruby-forum.com/. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe@googlegroups.com For more options, visit this group at http://groups.google.com/group/rubyonrails-talk -~----------~----~----~----~------~----~------~--~---