Displaying 20 results from an estimated 80000 matches similar to: "Don't make cookie-stored sessions a default"
2009 Oct 17
3
Security problems with CookieStore and CSRF protection
Dear Rails community,
As part of a programming languages/security research group at the
University of Maryland, we are building some static analysis tools for
Rails applications. These tools work by taking formally specified
properties of interest, and then analyzing code to verify that those
properties indeed hold. Using these tools, we found some security
vulnerabilities in Rails, and we would
2008 Jan 20
3
CookieStore and Session data via POST vars (no cookies)
This might be a solved issue, so I thought I''d ask. I''m trying to use
SWFUpload with the cookiestore. I''m passing in the session_id
variable through a POST parameter in the upload. I''ve verified that
Flash is sending the POST params (Flash 9).
I thought simply by setting cookie_only to false for that method, I
would be able to get that to work.
2006 May 05
5
Sessid.
How can I get the sessid from the current session object?
For instance, I log in the system, and want to know which sessid I''m using.
I''m storing the session using active_record. Later on, I want to restore
a session finding it using the sessid.
Thanks in advance.
Fernando Lujan
2007 Mar 30
7
Some additional attacks on Cookie Session
Aside from the replay attacks discussed, there are some other attack
vectors on the cookie_session store.
I appreciate (and admire!) Jeremy''s good humor on all of this:
> Planting the seed here led to quick ripening and plenty of pesticide.
> Thanks for the fish, all.
>
> jeremy
Anyway, here''s what we came up with:
1. Brute Force
SHA512 can be computed _very_ fast.
2008 Jan 21
1
shared sessions and rails2
Hi all
How would you go about sharing a session between two rails2 applications? I
am using restful_authentication.
A point in the direction of some relevant blogs would also be a great help.
Regards
Ivor
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group.
To post to this group,
2008 Jul 09
3
CookieOverflow - 4k Session?
Hello all,
I get the following error when I stuff my seesion with more than 4k of
data.
CGI::Session::CookieStore::CookieOverflow
My problem is that I obviously need a fatter session.
How do other users by-pass the 4k restriction on session variables?
Regards,
John
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
2008 Mar 01
15
before_filter strange behaviour on update and create
Hi,
I wrote a authentication script and I''m calling it like this in every
class:
class Blah < ApplicationController
before_filter :auth
def auth
req_perm = Permission.find_by_name("Permission Blah")
access = AccessController.new()
if access.is_logged_in(session.session_id)
if
!access.get_current_user(session.session_id).role.permissions.include?
req_perm
redirect_to
2010 Nov 25
4
Devise sessions and load-balanced/multiple servers
Hi
Hoping someone has had experience with this or can tell me where to
start investigating.
I''ve got a Rails app with Devise authentication running on a server
cluster behind a load balancer, so requests to the website will
alternately hit one server, or the other. My problem occurs when I try
to register a new user. Everything goes fine, I get the confirmation
email, I click the link,
2006 May 17
3
Session in ActiveRecordStore
The Agile book seems to say I should specify this as follows, probably in the
environments.rb:
ActionController::CgiRequest::DEFAULT_SESSION_OPTIONS[:database_manager] =
CGI::Session::ActiveRecordStore
BUT the environments.rb file would have me Un-Comment this:
config.action_controller.session_store = :active_record_store
Anyway, I''ve tried both, and in both cases it
2012 Apr 25
8
showing error (gsub) when switching from session to cookies
I am newbie to rail. Trying to develop social networking site so working
with railspace application. Everything is working fine but I stuck in
the problem when i am giving the authorization tocken to the user to
remember him/her.
My Error and controller code is below
Error:-
private method `gsub'' called for 4:Fixnum
C:/Users/Amir/Downloads/IR/ruby/lib/ruby/1.8/cgi.rb:342:in
2005 Mar 06
8
Session ids and identification
Hi all,
AFAIK, session ids are generated and given to a user side as a cookie or
whatever so that we may later "identify" a user and their previous
authentication by that id. But this is not secure! It doesn''t matter if
we use https or "secure cookies" or some other crap. It doesn''t matter.
As soon as you trust the client to provide you with valid data, you
2008 Jan 30
2
Where can I get "authenticate_with_http_basic"?
Hi,
I just installed Rails 2.0.2
[root@mymachine easyx]# ruby --version
ruby 1.8.6 (2007-03-13 patchlevel 0) [i686-linux]
[root@mymachine easyrx]# gem install rails --include-dependencies
Need to update 16 gems from http://gems.rubyforge.org
................
complete
Successfully installed rails-2.0.2
[root@remandev easyrx]#
But I''m getting this error in my restful_authentication
2006 Apr 28
3
persistent cookies
hello,
I am trying to implement a "remember be" box for logins, however I cant
seem to get it to work. I have tried the following 2 methods but neither
seem to work. When i check the expiry time in firefox it always says "end
of session".
What is the proper way to handle this so the session cookie "_session_id"
doesnt expire for a year?
I tried
2008 May 24
19
Camping 2.0 - What''s left?
I''ve just sent a pull-request to _why with my changes[1] and here is some
things that I think needs to be done before a (possible) release:
* The cookie session is named Camping::Session and is placed in
camping/session.rb. Maybe this should be called Camping::CookieSession or???
* The ActiveRecord session is named Camping::ARSession and is placed in
camping/ar/session.rb. Maybe it
2011 Feb 09
2
CSRF Protection Bypass in Ruby on Rails - I don't get it ...
Hi all,
My team and I are finding ourselves a little in the dark about the
"CSRF Protection Bypass in Ruby on Rails" vulnerability that was
announced yesterday - http://weblog.rubyonrails.org/2011/2/8/csrf-protection-bypass-in-ruby-on-rails
1. Where is the complete Advisory? The Impact section is very unclear.
Looking at the comment in the 2.3 patch mentions "Flash animations and
2008 Dec 25
2
Switching to active_record_store session management errors out
Hello,
Running Ruby 1.8.6 and Rails 2.2.2 against an Oracle XE database
(sigh).
I just upgraded Rails from 1.2.3 to 2.2.2, which made my cookie based
system for storing session information to error out due to the 4Kb
limit. So, I tried to turn on the active_record_store system by un-
commenting out the "config.action_controller.session_store
= :active_record_store" line in
2010 Dec 15
2
Error reverse engineering MySQL with RMRE
Hi
I am been trying in vain to auto-gen models by reverse-engineering
mysql using RMRE. It complains mysql2 gem missing but as seen in my
Rails environment below, it is there.
Here''s my Rails environment and RMRE error. Experts... please help!
Thanks a ton in advance!!
===
Ruby version 1.9.2 (x86_64-linux)
RubyGems version 1.3.7
Rack version 1.2
Rails version 3.0.3
Active Record
2008 May 21
2
Replacing ActiveRecordStore::Session with a custom model
Has anyone managed to replace ActiveRecordStore::Session with their
own model?
In the source (http://dev.rubyonrails.org/browser/trunk/actionpack/lib/
action_controller/session/active_record_store.rb) it says you can
override the default by setting
CGI::Session::ActiveRecordStore.session_class = MySessionClass
I have tried doing this in a number of ways but I get all kinds of
weird errors, as
2011 Apr 29
3
questions about cookies when bridging together two rails apps
Hey all,
I am looking through this example Rails app where a user session is
stored in cookie so user signs up in one rails app and navigates to
another while still being signed in as unique user. I come across this
line of code where I don''t understand where some of these methods are
coming from:
@session = Session.create!(:user => @user)
cookies[:session_token] = {:value
2006 Apr 25
2
agile depot app login failure :(
Hi *,
In an attempt to go back to the drawing board and learn RoR some more -
I have built the depot application from the agile book.
After finishing I tried to create a user for the admin section, however
when ever I go to:
http://localhost:3000/login/add_user
It redirects to the login action, I don''t see the [add user] submit
button??
I am sure this is connected to the