search for: cookiestore

This might be a solved issue, so I thought I''d ask. I''m trying to use SWFUpload with the cookiestore. I''m passing in the session_id variable through a POST parameter in the upload. I''ve verified that Flash is sending the POST params (Flash 9). I thought simply by setting cookie_only to false for that method, I would be able to get that to work. Turned out I had to do a...

...ications. These tools work by taking formally specified properties of interest, and then analyzing code to verify that those properties indeed hold. Using these tools, we found some security vulnerabilities in Rails, and we would like to get a sense of how important these are in practice. 1. Using CookieStore opens the door to "replay attacks", whose importance is, we feel, underestimated. A dishonest user can replay an old session to fool the server, of course; but more critically, it may be possible for an attacker to steal a cookie from an honest user after the latter is authenticated, and...

I''ve created a patch for generating more a secure default secret key for CookieStore: http://dev.rubyonrails.org/ticket/10286 I''m looking for +1s, please review/comment on my patch. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Core" group. To post to this group, sen...

I would like to persist the user authentication between user sessions (basically a "remind me" by default). Sessions expire while cookies persist: why should I use a session for authentication and then another different cookie for the "remind me"? Can''t I simply store a cookie whith a token and use it for both authentication and persistence? -- Posted via

Hello all, I get the following error when I stuff my seesion with more than 4k of data. CGI::Session::CookieStore::CookieOverflow My problem is that I obviously need a fatter session. How do other users by-pass the 4k restriction on session variables? Regards, John --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on R...

Hi! Before Rails 2.0 is coming, I suggest not to make CookieStore the default session storage. It stores clear-text values on the client-side and the integrity check hash can be brute-force attacked. I understand that this has been set due to speed advantages, but I believe it''s better to make better security a default. I''ve written a blog pos...

...register a new user. Everything goes fine, I get the confirmation email, I click the link, it hits the confirmation page and then goes directly to the sign in page, instead of proceeding to the user_root_path. The account IS marked as confirmed in the database though. I thought perhaps the default CookieStore for sessions was causing problems, so I tried the ActiveRecord store, with the same results. When I try the exact same app/code on my local machine, or on the cluster with only one of the servers active, it works perfectly. Anyone have any ideas on this, or where to start looking for the problem?...

...ive_record_store for cookies. The problem happens because of this commit: http://github.com/mmangino/facebooker/commit/308770447db06433e505aaf27db2614cee213cc2 That code is trying to add the Rack::Facebook to the dispatch chain after ActionController::RewindableInput or ActionController::Session::CookieStore if the first one is not found. The problem in my case is that I''m not using cookies, so this sould fall back to ActiveRecord::SessionStore. I could provide a patch, but wanted to be sure if what I''m saying is correct. Thanks! Carlos K. -- http://www.ckozus.com http://www.ins...

...sole .. :session_key=>"_session_id" !!! why ? >> ActionController::CgiRequest::DEFAULT_SESSION_OPTIONS => {:session_key=>"_session_id", :cookie_only=>true, :session_path=>"/", :prefix=>"ruby_sess.", :database_manager=>CGI::Session::CookieStore, :tmpdir=>"/Users/myself/tmp/sessions/"} how can get back the :session_key and :secret in my controllers ? -- Posted via http://www.ruby-forum.com/. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups &quot...

Folks, I am trying to upgrade system from rails 1.3.x to 2.3.2 and getting this error - Status: 500 Internal Server Error ActionController::Session::CookieStore::CookieOverflow /usr/lib/ruby/gems/1.8/gems/actionpack-2.3.2/lib/action_controller/ session/cookie_store.rb:102:in `call'' /usr/lib/ruby/gems/1.8/gems/actionpack-2.3.2/lib/action_controller/ reloader.rb:9:in `call'' /usr/lib/ruby/gems/1.8/gems/actionpack-2.3.2/lib/action...

I''m trying to create a facebook application but I have no success. I either get one of those two errors depending on which revision of the plugin I use: CGI::Session::CookieStore::TamperedWithCookie (Using plugin from directory) or ActionView::TemplateError (Session key invalid or no longer valid) (Using plugin from a week ago or so). Has anyone successfully gotten an app that as to be added (ensure_application_is_installed_by_facebook_user) and uses FBML (not iframe) ?...

I''ve almost entirely converted a rails 2.3.5 app to 3pre. I''m having some trouble with protect_from_forgery. I had protect_from_forgery set in application_controller.rb, but run some uploadify ajax stuff in one of my controllers, where I had protect_from_forgery, :except => :add_file set. In rails 3 I''m getting ActionController::InvalidAuthenticityToken on the ajax

...iveSupport::Cache::Strategy::LocalCache Rack::Runtime Rails::Rack::Logger ActionDispatch::ShowExceptions ActionDispatch::RemoteIp Rack::Sendfile ActionDispatch::Callbacks ActiveRecord::ConnectionAdapters::ConnectionManagement ActiveRecord::QueryCache ActionDispatch::Cookies ActionDispatch::Session::CookieStore ActionDispatch::Flash ActionDispatch::ParamsParser Rack::MethodOverride ActionDispatch::Head ActionDispatch::BestStandardsSupport Application root /root/test/app Environment development Database adapter mysql2 Database schema version 0 ====== % rmre -a mysql -d test -u root /usr/local/rvm/gems/rub...

...he order object is contructed, and stored in the session (if it passes validation). The is sent to another page where they can confirm all their info and press the "finalize order" button. The problem is that the order object is too large to fit in the session, and I get a CGI::Session::CookieStore::CookieOverflow exception. The addresses and other customer data overflow the 4k limit. So, without switching session stores, whats the best way to fix this? I don''t really want to store the order object in the session, but it seemed like the easiest option. I thought about only storin...

Hi all How would you go about sharing a session between two rails2 applications? I am using restful_authentication. A point in the direction of some relevant blogs would also be a great help. Regards Ivor --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group,

I am storing an id in the session data. An action causes the id to change, however, the rendered action has not changed. The server returns a 304 Not Modified code and doesn''t return the cookie. With Rails 2.2.2, I believe it is using the CookieStore for sessions, so I expect the cookie to update. When I hit the site again, the old session data is used. Is there a way to use the new session data? Thanks, Jeff. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups &quo...

I am trying to clean up unnecessary lines (even as I hack my way forward adding more garbage) I have two questions on lines I have trying to keep the database and session info reflecting changes: def associate_pupil_to_teacher @teacher = session[:teacher] @pupil = Pupil.find(params[:id]) @teacher.pupils << @pupil @teacher.save #Q1 session[:teacher] = @teacher #Q2 end #Q1 do i

Hi, I wrote a authentication script and I''m calling it like this in every class: class Blah < ApplicationController before_filter :auth def auth req_perm = Permission.find_by_name("Permission Blah") access = AccessController.new() if access.is_logged_in(session.session_id) if !access.get_current_user(session.session_id).role.permissions.include? req_perm redirect_to

hi all, I want to move some routing tasks out of the router and into the controller. The goal is to make Merb feel less like mod_rewrite and give the user more control at the controller. The new Router is simple: it takes the path_info (not the whole request) then outputs a controller class and some parameters from the path matching. The rest of the routing would be done at the controller level.

I''ve got two entities created by scaffolding: Expense & Vendor In Expense#new there''s a form with a Vendors-drop-down and a NewVendor- button. The latter button brings up Vendor#new. The Create button in Vendor#new brings up Vendor#show with Edit & Back links. I want to append a third link conditionally to Vendor#show: if the Expense#new form led to the Vendor#show