Hi all, I''d like to implement some sort of transaction token to prevent a class of xss attacks, and am having a hard time figuring out where to store application state data like this (from an OO perspective). obviously all requests need to share the transaction token pool to get and expire tokens properly. Am i missing the forest for the trees? Thanks, -mml
I''m also very much a ruby/rails newbie, and would be interested in a nice explanation of the ruby application lifecycle. That said, one way to achive what you want would be using the Singleton module: http://www.ruby-doc.org/core/classes/Singleton.html By including Singleton in your class, the .new method is made private, and a new method .instance is made available which gives always the same instance. The .instnace method is also thread-safe. You could then use that class to hold your pool of tokens. However, there may be a better way to do this by taking advantage of something in rails. --Matias McClain Looney wrote:> Hi all, > > > I''d like to implement some sort of transaction token to prevent a class > of xss attacks, and am having a hard time figuring out where to store > application state data like this (from an OO perspective). obviously all > requests need to share the transaction token pool to get and expire > tokens properly. > Am i missing the forest for the trees? > > Thanks, > > -mml > _______________________________________________ > Rails mailing list > Rails-1W37MKcQCpIf0INCOvqR/iCwEArCW2h5@public.gmane.org > http://lists.rubyonrails.org/mailman/listinfo/rails
In article <42C08903.9030803-13vnhLXyoSJWk0Htik3J/w@public.gmane.org>, m@loonsoft.com says...> I''d like to implement some sort of transaction token to prevent a class > of xss attacks, and am having a hard time figuring out where to store > application state data like thisIs there some reason the @session hash isn''t suitable for this? -- Jay Levitt | Wellesley, MA | I feel calm. I feel ready. I can only Faster: jay at jay dot fm | conclude that''s because I don''t have a http://www.jay.fm | full grasp of the situation. - Mark Adler
Jay Levitt wrote:>In article <42C08903.9030803-13vnhLXyoSJWk0Htik3J/w@public.gmane.org>, m@loonsoft.com says... > > >>I''d like to implement some sort of transaction token to prevent a class >>of xss attacks, and am having a hard time figuring out where to store >>application state data like this >> >> > >Is there some reason the @session hash isn''t suitable for this? > > >The token can be stored there, but not the mechanism for generating and keeping track of outstanding tokens.