hi all, i would like to know how safe is to use session variables like session[:name]=something? can it be tampered by the user or somebody? can we have it in methods in application.rb and application_helper.rb for some validation and how safe is that too? i''ve different types of users for whom views are also different so i was thinking of setting them by session vars. is thr any other better way? any help is greatly appreciated. thanks in advance. :) -Dhaval -- Posted via http://www.ruby-forum.com/. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---
On 23 Jun 2008, at 12:47, Dhaval Phansalkar wrote:> > hi all, > > i would like to know how safe is to use session variables like > session[:name]=something? can it be tampered by the user or somebody? > can we have it in methods in application.rb and application_helper.rb > for some validation and how safe is that too? i''ve different types of > users for whom views are also different so i was thinking of setting > them by session vars. is thr any other better way? any help is greatly > appreciated. thanks in advance. :) >depends to the session store to an extent. With the cookie store the entire session is stored as a cookie (and signed with a cryptographic hash), so tampering with it is hard. Users can with fairly minimal effort read what is in the session. Fred> -Dhaval > -- > Posted via http://www.ruby-forum.com/. > > >--~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---
hi Fred, thanks a lot for reply :). i''m not using cookies so i think it should be safe to use session vars then. one more thing i would like to know from ur reply is "depends to the session store to an extent", can u explain a bit more on this pls? do u mean the cookie or DB to store the session details or anything else? -Dhaval -- Posted via http://www.ruby-forum.com/. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---
On Jun 23, 1:38 pm, Dhaval Phansalkar <rails-mailing-l...@andreas- s.net> wrote:> hi Fred, > > thanks a lot for reply :). i''m not using cookies so i think it should > be safe to use session vars then. one more thing i would like to know > from ur reply is "depends to the session store to an extent", can u > explain a bit more on this pls? do u mean the cookie or DB to store the > session details or anything else? >I meant that if you are using the CookieStore (the default since rails 2) then what i wrote applies, if not it doesn''t since session data is stored somewhere on your server with all the other session stores. Fred --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe@googlegroups.com For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---
Frederick Cheung wrote:> On Jun 23, 1:38�pm, Dhaval Phansalkar <rails-mailing-l...@andreas- > s.net> wrote: >> hi Fred, >> >> � �thanks a lot for reply :). i''m not using cookies so i think it should >> be safe to use session vars then. one more thing i would like to know >> from ur reply is "depends to the session store to an extent", can u >> explain a bit more on this pls? do u mean the cookie or DB to store the >> session details or anything else? >> > I meant that if you are using the CookieStore (the default since rails > 2) then what i wrote applies, if not it doesn''t since session data is > stored somewhere on your server with all the other session stores. > > Fredthanks a lot Fred, that helped me a lot, everythings much clear now. :) -Dhaval -- Posted via http://www.ruby-forum.com/. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe@googlegroups.com For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---