Yeah I''d be interested in a cookie store. But th security concerns are
valid so we would need to investigate thouroughly
Ezra
Sent from my iPhone
On Aug 17, 2007, at 10:08 AM, "ry dahl" <ry at tinyclouds.org>
wrote:
> I like the cookie sessions that Rails edge has - they make sense,
> they''re fast, easy.
>
> For those that don''t know: the default session mechanism is to
give
> developers a Hash called session. To store this object between
> requests it Marshals the session object and sends the object itself
> (now as a bitstream) back to clients to store in their cookie file. To
> prevent users from tampering with this data, a cryptographic digest
> (using HMAC with SHA-1) is sent along with the bitstream).
>
> The major problem with this scheme is that the Marshalled data is not
> at all encrypted! Users are free to unmarshal and examine what
> websites are storing in their sessions. They cannot change the data,
> but nevertheless this is a security problem!
>
> The answers given by the rails developers sound rather na?ve:
>> This is getting into very difficult crypto. Basically, depending on
>> the cipher, there
>> may be cases where you can change one part of the text without
>> changing the other.
> Not that I know much about cryptography, but I''m almost certain
that
> modifying AES encrypted Marshaled data is quite tamper proof. If not,
> one could at least send a digest along with it.
>
> There has been some mention of the extra AES operation slowing down
> speed (but it''s been said it''s not much of a slowdown), I
think having
> secure cookies would be well worth the cost.
>
> Is there interest in this type of session for Merb?
> Related: I''ve just wrote a CookieJar class - perhaps it would be
> useful for Merb?
> http://rubyforge.org/pipermail/mongrel-users/2007-August/003890.html
>
> ry
> _______________________________________________
> Merb-devel mailing list
> Merb-devel at rubyforge.org
> http://rubyforge.org/mailman/listinfo/merb-devel