Hi, I m using cookies on my website, so my user don t have to login each time... But there is a security hole behind that, it s why i would like to know is it possible de send and check the cookies using HHTPS .. ? Ii guess it could help many people to secure their web application.. Thks, Guillaume. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---
Differenthink wrote: when you set your cookie, pass :secure => true http://ap.rubyonrails.com/classes/ActionController/Cookies.html If I understood your question correctly. -- Posted via http://www.ruby-forum.com/. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---
Thanks for you answer, So only this params make my cookies transaction secured ? (seems to easy) On 9 août, 22:30, Dave Coleman <rails-mailing-l...-ARtvInVfO7ksV2N9l4h3zg@public.gmane.org> wrote:> Differenthink wrote: > > when you set your cookie, pass :secure => truehttp://ap.rubyonrails.com/classes/ActionController/Cookies.html > > If I understood your question correctly. > -- > Posted viahttp://www.ruby-forum.com/.--~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe@googlegroups.com For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---
Differenthink wrote:> So only this params make my cookies transaction secured ? > (seems to easy)Just means that the server can only read the cookie from the browser over an https connection. Don''t believe the cookie data is stored any differently on the client side. -- Posted via http://www.ruby-forum.com/. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---
Hum well it works, my cookies is secured... but when i want to get its value back, doesn t work any more... i guess there is something else to do ? Thks for helping On 9 août, 22:50, Differenthink <guillaume.mont...-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> wrote:> Thanks for you answer, > > So only this params make my cookies transaction secured ? > (seems to easy) > > On 9 août, 22:30, Dave Coleman <rails-mailing-l...-ARtvInVfO7ksV2N9l4h3zg@public.gmane.org> > wrote: > > > Differenthink wrote: > > > when you set your cookie, pass :secure => truehttp://ap.rubyonrails.com/classes/ActionController/Cookies.html > > > If I understood your question correctly. > > -- > > Posted viahttp://www.ruby-forum.com/.--~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe@googlegroups.com For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---
Well ok... so it seems i ve to find a way to get it back from a secure https connection... but don t know how to handle that...:/ if anyone have an idea ? On 9 août, 22:59, Dave Coleman <rails-mailing-l...-ARtvInVfO7ksV2N9l4h3zg@public.gmane.org> wrote:> Differenthink wrote: > > So only this params make my cookies transaction secured ? > > (seems to easy) > > Just means that the server can only read the cookie from the browser > over an https connection. Don''t believe the cookie data is stored any > differently on the client side. > > -- > Posted viahttp://www.ruby-forum.com/.--~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe@googlegroups.com For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---
On Aug 9, 5:09 pm, Differenthink <guillaume.mont...-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> wrote:> Well ok... so it seems i ve to find a way to get it back from a secure > https connection... but don t know how to handle that...:/Is the domain name between the unsecured and secured site the same? --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---
Differenthink wrote:> Well ok... so it seems i ve to find a way to get it back from a secure > https connection... but don t know how to handle that...:/ > > if anyone have an idea ?If you use Firefox as your browser, I''d suggest downloading and installing the developer toolbar: https://addons.mozilla.org/en-US/firefox/addon/60 With it you can view your cookie data on the cookies button. Cookies > View Cookie Information There is also cookie monster: http://www.ampsoft.net/utilities/CookieMonster.php To retrieve a cookie that has been set from https, you must be accessing it from https. So, if the URL in your browser doesn''t start with https, you wont be able to read it. -- Posted via http://www.ruby-forum.com/. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---
That is my problem, i dont actually have a secured site... let me explain to you : I use cookie to avoid my user to always login.. so when they go to my website, i check if they have the cookie, and if they do, i put their login in a session.... Why do i want security ? because cookies are king of security hole, so i would like to be able to transmit them and received them via secured way, i guess it s HTTPS, but i ve no idea of how to implement it... if you could explain to me, (i don t all my site https, but also i ve to check if the cookies is present, on any page, i actually do that in my application layout, via an helper) thx Guillaume. On 9 août, 23:42, Eno <symb...-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> wrote:> On Aug 9, 5:09 pm, Differenthink <guillaume.mont...-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> wrote: > > > Well ok... so it seems i ve to find a way to get it back from a secure > > https connection... but don t know how to handle that...:/ > > Is the domain name between the unsecured and secured site the same?--~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe@googlegroups.com For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---
On Aug 9, 5:48 pm, Differenthink <guillaume.mont...-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> wrote:> That is my problem, i dont actually have a secured site... let me > explain to you : > > I use cookie to avoid my user to always login.. so when they go to my > website, i check if they have the cookie, and if they do, i put their > login in a session.... > Why do i want security ? > because cookies are king of security hole, so i would like to be able > to transmit them and received them via secured way, i guess it s > HTTPS, but i ve no idea of how to implement it... if you could explain > to me, > (i don t all my site https, but also i ve to check if the cookies is > present, on any page, i actually do that in my application layout, via > an helper)Usually, if the domain name matches or you''re using a wildcard (i.e. .domain.com instead of www.domain.com) then the browser will automatically send cookies that match to your application. Not much else to it. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---
"To retrieve a cookie that has been set from https, you must be accessing it from https. So, if the URL in your browser doesn''t start with https, you wont be able to read it. " How can i do that if i check the cookie on any page through the application layout... in that case which page has to be https, or can only an action be https ?? On 9 août, 23:45, Dave Coleman <rails-mailing-l...-ARtvInVfO7ksV2N9l4h3zg@public.gmane.org> wrote:> Differenthink wrote: > > Well ok... so it seems i ve to find a way to get it back from a secure > > https connection... but don t know how to handle that...:/ > > > if anyone have an idea ? > > If you use Firefox as your browser, I''d suggest downloading and > installing the developer toolbar:https://addons.mozilla.org/en-US/firefox/addon/60 > > With it you can view your cookie data on the cookies button. > > Cookies > View Cookie Information > > There is also cookie monster:http://www.ampsoft.net/utilities/CookieMonster.php > > To retrieve a cookie that has been set from https, you must be accessing > it from https. So, if the URL in your browser doesn''t start with https, > you wont be able to read it. > > -- > Posted viahttp://www.ruby-forum.com/.--~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe@googlegroups.com For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---
Differenthink wrote:> That is my problem, i dont actually have a secured site... let me > explain to you : > > I use cookie to avoid my user to always login.. so when they go to my > website, i check if they have the cookie, and if they do, i put their > login in a session.... > Why do i want security ? > because cookies are king of security hole, so i would like to be able > to transmit them and received them via secured way, i guess it s > HTTPS, but i ve no idea of how to implement it... if you could explain > to me, > (i don t all my site https, but also i ve to check if the cookies is > present, on any page, i actually do that in my application layout, via > an helper) > >A cookie is sent for each request matching a set of rules, primarily the hostname but also optionnaly the path and the fact that the contact method is secure or not. If you send the cookie by HTTPS, you send your request by HTTPS, you receive you response by HTTPS so you have a full blown HTTPS site. Lionel --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---
Differenthink wrote:> "To retrieve a cookie that has been set from https, you must be > accessing > it from https. So, if the URL in your browser doesn''t start with > https, > you wont be able to read it. " >I''m not sure this is actually the case, cookies set without the secure option should be readable on a plain connection if I read the RFC correctly.> How can i do that if i check the cookie on any page through the > application layout... in that case which page has to be https, or can > only an action be https ?? > >A page and an action aren''t HTTPS. A page is (usually) HTML content that you *always* return through the same means you got your request, it doesn''t know if its http or https (or more accurately it shouldn''t need to) . The action usually describes the code that performs pure computations, in Rails it usually doesn''t bother with http and https, this is the web server (Apache, lighttpd, nginx, ...) which is in charge of implementing the https protocol. The only link between https and Rails are: - the fact that you can test if a request came from a secured connection (https) because the web server tells Rails, - in HTTP, cookies are sent from the client through the same connection used later for the response: if you want to secure the content of the cookies, you must make each and every request using them with https, which means you will put your whole site in https, there''s no way a part of it can be http if all content you are serving must be validated by a cookie (in fact even if you could, mixing http and https usually makes for nasty browser warnings telling the user that the site is only partially secure). Lionel --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---
thx for the answer... i think i ll not go deeper in integration of secure cookies for my website... On 10 août, 02:22, Lionel Bouton <lionel-subscript...-WTamNBQcZIx7tPAFqOLdPg@public.gmane.org> wrote:> Differenthink wrote: > > "To retrieve a cookie that has been set from https, you must be > > accessing > > it from https. So, if the URL in your browser doesn''t start with > > https, > > you wont be able to read it. " > > I''m not sure this is actually the case,cookiesset without the secure > option should be readable on a plain connection if I read the RFC correctly. > > > How can i do that if i check the cookie on any page through the > > application layout... in that case which page has to be https, or can > > only an action be https ?? > > A page and an action aren''t HTTPS. A page is (usually) HTML content that > you *always* return through the same means you got your request, it > doesn''t know if its http or https (or more accurately it shouldn''t need > to) . The action usually describes the code that performs pure > computations, in Rails it usually doesn''t bother with http and https, > this is the web server (Apache, lighttpd, nginx, ...) which is in charge > of implementing the https protocol. The only link between https and > Rails are: > - the fact that you can test if a request came from a secured connection > (https) because the web server tells Rails, > - in HTTP,cookiesare sent from the client through the same connection > used later for the response: if you want to secure the content of thecookies, you must make each and every request using them with https, > which means you will put your whole site in https, there''s no way a part > of it can be http if all content you are serving must be validated by a > cookie (in fact even if you could, mixing http and https usually makes > for nasty browser warnings telling the user that the site is only > partially secure). > > Lionel--~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe@googlegroups.com For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---