similar to: Don't make cookie-stored sessions a default

Dear Rails community, As part of a programming languages/security research group at the University of Maryland, we are building some static analysis tools for Rails applications. These tools work by taking formally specified properties of interest, and then analyzing code to verify that those properties indeed hold. Using these tools, we found some security vulnerabilities in Rails, and we would

This might be a solved issue, so I thought I''d ask. I''m trying to use SWFUpload with the cookiestore. I''m passing in the session_id variable through a POST parameter in the upload. I''ve verified that Flash is sending the POST params (Flash 9). I thought simply by setting cookie_only to false for that method, I would be able to get that to work.

How can I get the sessid from the current session object? For instance, I log in the system, and want to know which sessid I''m using. I''m storing the session using active_record. Later on, I want to restore a session finding it using the sessid. Thanks in advance. Fernando Lujan

Aside from the replay attacks discussed, there are some other attack vectors on the cookie_session store. I appreciate (and admire!) Jeremy''s good humor on all of this: > Planting the seed here led to quick ripening and plenty of pesticide. > Thanks for the fish, all. > > jeremy Anyway, here''s what we came up with: 1. Brute Force SHA512 can be computed _very_ fast.

Hi all How would you go about sharing a session between two rails2 applications? I am using restful_authentication. A point in the direction of some relevant blogs would also be a great help. Regards Ivor --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group,

Hello all, I get the following error when I stuff my seesion with more than 4k of data. CGI::Session::CookieStore::CookieOverflow My problem is that I obviously need a fatter session. How do other users by-pass the 4k restriction on session variables? Regards, John --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups

Hi, I wrote a authentication script and I''m calling it like this in every class: class Blah < ApplicationController before_filter :auth def auth req_perm = Permission.find_by_name("Permission Blah") access = AccessController.new() if access.is_logged_in(session.session_id) if !access.get_current_user(session.session_id).role.permissions.include? req_perm redirect_to

Hi Hoping someone has had experience with this or can tell me where to start investigating. I''ve got a Rails app with Devise authentication running on a server cluster behind a load balancer, so requests to the website will alternately hit one server, or the other. My problem occurs when I try to register a new user. Everything goes fine, I get the confirmation email, I click the link,

The Agile book seems to say I should specify this as follows, probably in the environments.rb: ActionController::CgiRequest::DEFAULT_SESSION_OPTIONS[:database_manager] = CGI::Session::ActiveRecordStore BUT the environments.rb file would have me Un-Comment this: config.action_controller.session_store = :active_record_store Anyway, I''ve tried both, and in both cases it

I am newbie to rail. Trying to develop social networking site so working with railspace application. Everything is working fine but I stuck in the problem when i am giving the authorization tocken to the user to remember him/her. My Error and controller code is below Error:- private method `gsub'' called for 4:Fixnum C:/Users/Amir/Downloads/IR/ruby/lib/ruby/1.8/cgi.rb:342:in

Hi all, AFAIK, session ids are generated and given to a user side as a cookie or whatever so that we may later "identify" a user and their previous authentication by that id. But this is not secure! It doesn''t matter if we use https or "secure cookies" or some other crap. It doesn''t matter. As soon as you trust the client to provide you with valid data, you

Hi, I just installed Rails 2.0.2 [root@mymachine easyx]# ruby --version ruby 1.8.6 (2007-03-13 patchlevel 0) [i686-linux] [root@mymachine easyrx]# gem install rails --include-dependencies Need to update 16 gems from http://gems.rubyforge.org ................ complete Successfully installed rails-2.0.2 [root@remandev easyrx]# But I''m getting this error in my restful_authentication

hello, I am trying to implement a "remember be" box for logins, however I cant seem to get it to work. I have tried the following 2 methods but neither seem to work. When i check the expiry time in firefox it always says "end of session". What is the proper way to handle this so the session cookie "_session_id" doesnt expire for a year? I tried

I''ve just sent a pull-request to _why with my changes[1] and here is some things that I think needs to be done before a (possible) release: * The cookie session is named Camping::Session and is placed in camping/session.rb. Maybe this should be called Camping::CookieSession or??? * The ActiveRecord session is named Camping::ARSession and is placed in camping/ar/session.rb. Maybe it

Hi all, My team and I are finding ourselves a little in the dark about the "CSRF Protection Bypass in Ruby on Rails" vulnerability that was announced yesterday - http://weblog.rubyonrails.org/2011/2/8/csrf-protection-bypass-in-ruby-on-rails 1. Where is the complete Advisory? The Impact section is very unclear. Looking at the comment in the 2.3 patch mentions "Flash animations and

Hello, Running Ruby 1.8.6 and Rails 2.2.2 against an Oracle XE database (sigh). I just upgraded Rails from 1.2.3 to 2.2.2, which made my cookie based system for storing session information to error out due to the 4Kb limit. So, I tried to turn on the active_record_store system by un- commenting out the "config.action_controller.session_store = :active_record_store" line in

Hi I am been trying in vain to auto-gen models by reverse-engineering mysql using RMRE. It complains mysql2 gem missing but as seen in my Rails environment below, it is there. Here''s my Rails environment and RMRE error. Experts... please help! Thanks a ton in advance!! === Ruby version 1.9.2 (x86_64-linux) RubyGems version 1.3.7 Rack version 1.2 Rails version 3.0.3 Active Record

Has anyone managed to replace ActiveRecordStore::Session with their own model? In the source (http://dev.rubyonrails.org/browser/trunk/actionpack/lib/ action_controller/session/active_record_store.rb) it says you can override the default by setting CGI::Session::ActiveRecordStore.session_class = MySessionClass I have tried doing this in a number of ways but I get all kinds of weird errors, as

Hey all, I am looking through this example Rails app where a user session is stored in cookie so user signs up in one rails app and navigates to another while still being signed in as unique user. I come across this line of code where I don''t understand where some of these methods are coming from: @session = Session.create!(:user => @user) cookies[:session_token] = {:value

Hi *, In an attempt to go back to the drawing board and learn RoR some more - I have built the depot application from the agile book. After finishing I tried to create a user for the admin section, however when ever I go to: http://localhost:3000/login/add_user It redirects to the login action, I don''t see the [add user] submit button?? I am sure this is connected to the