I''m looking at page 162 in *Agile Web Development with Rails* and in
there they do the following once they find that a user has logged in
with the right name and password:
- - -
def login
if request.post?
user = User.authenticate(params[:username], params[:password])
if user
session[:user_id] = user.id
redirect_to(:action => "index")
else
flash.now[:notice] = "Invalid user/password combination"
end
end
end
- - -
The line that concerns me is
session[:user_id] = user.id
The authors write
#########
The logni action will need to record something in session to say that an
administrator is logged in. Let''s have it store the id of their User
object using the hey user.id. The login code looks like this:
#########
Given that the session data is likely to be stored in cookies, and given
that user.id is likely to be a relatively small number (less than a
million) ... how secure is this as a flag to indicate that someone is an
authorized user of a store??? Couldn''t an unauthorized user create the
session[:user_id] = user.id and then get access?
--
Posted via http://www.ruby-forum.com/.
--
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Talk" group.
To post to this group, send email to
rubyonrails-talk-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org
To unsubscribe from this group, send email to
rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org
For more options, visit this group at
http://groups.google.com/group/rubyonrails-talk?hl=en.
Ralph Shnelvar wrote:> The line that concerns me is > session[:user_id] = user.id > ... > Given that the session data is likely to be stored in cookies, and given > that user.id is likely to be a relatively small number (less than a > million) ... how secure is this as a flag to indicate that someone is an > authorized user of a store??? Couldn''t an unauthorized user create the > session[:user_id] = user.id and then get access?A good question! You are thinking the right way. Fortunately this question has been asked already and the answer is that the session is a signed piece of data using an HMAC. This means that if an attacker tries to change the values in the session store that the signature will fail. The signature check in Rails will catch this and the user will see a 422 error. Try it! Note that the session is only signed and not encrypted. So don''t store anything there that you don''t want the user to be able to see. It is only protected from modification and not protected from being seen. Here is a good guide for further information. http://guides.rubyonrails.org/security.html Bob -- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en.
Bob Proulx wrote:> > Here is a good guide for further information. > > http://guides.rubyonrails.org/security.html > > BobI must have read that guide over the last sdevera; months a half a dozen times. Your two-paragraph explanation made it snap into focus for me .... finally! Thanks! Ralph -- Posted via http://www.ruby-forum.com/. -- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en.