Hi, i''ve found some questions on the rails blog which haven''t any answer. Because i''m interested too i paste them here: # gonzo on 07 Dec 22:10: Does CSRF protection work with forms that are fully cached? # rugal on 08 Dec 20:14: Great job guys! Just an information about migrations. will t.timestamps create both created_at and updated_at? And for _on ? t.datestamps? and if i want to create just one of them? t.datetime created_at ? # rugal on 08 Dec 20:21: i forgot another thing about the HTTP Basic Authentication. in the code example there are both username and password set on the top of the class: USER_NAME, PASSWORD = dhh, secret authenticate_or_request_with_http_basic do |user_name, password| user_name USER_NAME && password PASSWORD end and in the method you check if are equals. with a user model everything will be something like this? authenticate_or_request_with_http_basic do |user_name, password| user User.find_by_nick(user_name) user && password == user.password end (ok, in this case the password is not encrypted, but its just an example :) ) Last question, what changes with the normal authentication? is it better using this by http? why? thanks :) # kgodel on 08 Dec 23:10: David, You mention that the cookies are in a hashed form that cant be forged. Why should I believe you? Since forged is a rather vague word do you mean collision resistant, pre-image resistant, or 2nd pre-image resistant? I havent glanced at all the code yet so Ill assume your using some version of SHA-2 and are aware of the collision vulnerabilities in MD5 and (the more difficult to generate) collision vulnerabilities in SHA-1. Even so, cant be forged sounds like snake oil, and is incontrovertibly incorrect (given enough time and enough parallel FPGAs). -- Posted via http://www.ruby-forum.com/. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe@googlegroups.com For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---
Anyone? :( -- Posted via http://www.ruby-forum.com/. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---
I don''t know about the first question. (CSRF protection) The second question is right, you need to do t.datetime :created_at to create one of them. :created_at is favoured over created_on (imo) Third one not a clue. Fourth one wasn''t even structured as a question. On Dec 10, 2007 5:07 AM, Mix Mix <rails-mailing-list-ARtvInVfO7ksV2N9l4h3zg@public.gmane.org> wrote:> > Hi, i''ve found some questions on the rails blog which haven''t any > answer. Because i''m interested too i paste them here: > > # gonzo on 07 Dec 22:10: > > Does CSRF protection work with forms that are fully cached? > > > > # rugal on 08 Dec 20:14: > > Great job guys! > > Just an information about migrations. > > will t.timestamps create both created_at and updated_at? And for _on ? > t.datestamps? and if i want to create just one of them? > > t.datetime "created_at" ? > > > # rugal on 08 Dec 20:21: > > i forgot another thing… about the HTTP Basic Authentication. in the code > example there are both username and password set on the top of the > class: USER_NAME, PASSWORD = "dhh", "secret" > > authenticate_or_request_with_http_basic do |user_name, password| > user_name USER_NAME && password PASSWORD end > > and in the method you check if are equals. with a user model everything > will be something like this? > > authenticate_or_request_with_http_basic do |user_name, password| user > User.find_by_nick(user_name) user && password == user.password end > > (ok, in this case the password is not encrypted, but it''s just an > example :) ) > > Last question, what changes with the normal authentication? is it better > using this by http? why? > > thanks :) > > > # kgodel on 08 Dec 23:10: > > David, > > You mention that the cookies are "in a hashed form that can''t be > forged". > > Why should I believe you? > > Since "forged" is a rather vague word do you mean collision resistant, > pre-image resistant, or 2nd pre-image resistant? > > I haven''t glanced at all the code yet so I''ll assume your using some > version of SHA-2 and are aware of the collision vulnerabilities in MD5 > and (the more difficult to generate) collision vulnerabilities in SHA-1. > > Even so, "can''t be forged" sounds like snake oil, and is > incontrovertibly incorrect (given enough time and enough parallel > FPGAs). > -- > Posted via http://www.ruby-forum.com/. > > > >-- Ryan Bigg http://www.frozenplague.net --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe@googlegroups.com For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---