similar to: Patch: more secure secret key generation for CookieStore

This might be a solved issue, so I thought I''d ask. I''m trying to use SWFUpload with the cookiestore. I''m passing in the session_id variable through a POST parameter in the upload. I''ve verified that Flash is sending the POST params (Flash 9). I thought simply by setting cookie_only to false for that method, I would be able to get that to work.

Dear Rails community, As part of a programming languages/security research group at the University of Maryland, we are building some static analysis tools for Rails applications. These tools work by taking formally specified properties of interest, and then analyzing code to verify that those properties indeed hold. Using these tools, we found some security vulnerabilities in Rails, and we would

ActiveRecord validation messages are currently not I18N-friendly. Specifically, I''m referring to the fact that it enforces a certain grammar, namely the beginning of the message must consist of the field name. For example: validates_presence_of :name, :message => "can''t be blank." ...generates the message "Name can''t be blank". This grammar

I would like to persist the user authentication between user sessions (basically a "remind me" by default). Sessions expire while cookies persist: why should I use a session for authentication and then another different cookie for the "remind me"? Can''t I simply store a cookie whith a token and use it for both authentication and persistence? -- Posted via

Looks like Rails 3 currently depends on RDoc 2.2.0 exactly, even though the latest version is 2.5.x. Why this specific version? -- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Core" group. To post to this group, send email to rubyonrails-core@googlegroups.com. To unsubscribe from this group, send email to

I like the merb-style exception pages where there''re links to open the files listed in the stack trace in TextMate and the source around each line a lot so I stole the idea (and the code!) and made a patch for Rails: http://dev.rubyonrails.org/ticket/10401 Here''s how it looks like in Merb: http://yehudakatz.com/wp-content/uploads/stacktrace.gif What do you guys think?

Hi! Before Rails 2.0 is coming, I suggest not to make CookieStore the default session storage. It stores clear-text values on the client-side and the integrity check hash can be brute-force attacked. I understand that this has been set due to speed advantages, but I believe it''s better to make better security a default. I''ve written a blog post about this

when setting it in my environment.rb config.action_controller.session = { :session_key => ''_myapp_session'', :secret => ''3a64394bb895f1f05e0c07f71127d93d'' } I cannot get it back in the script/console .. :session_key=>"_session_id" !!! why ? >> ActionController::CgiRequest::DEFAULT_SESSION_OPTIONS =>

Hi, I am trying to debug a new (to me) printer, that should be able to use AD (for LDAP / address book lookups as well as authentication). It's been a while since I needed to dump traffic with wireshark; and evidently it's got harder since I last tried :) I have generated a wireshark dump on my DC, to see what the printer is trying to do, using: dc1$ sudo tcpdump host myprinter and port

Is there any documentation on IAX RSA authentication because I followed http://www.voip-info.org/wiki/index.php?page=Asterisk+iax+rsa+auth and it's not working... Asterisk 1 : -r--r--r-- 1 root root 272 Aug 25 10:34 server2.pub -r-------- 1 root root 963 Aug 24 19:38 server1.key Asterisk 2 : -r-------- 1 root root 963 Aug 24 19:53 server2.key -r--r--r-- 1 root root 272 Aug 25 09:02

Forms without explicit enctype are submitted as application/x-www-form- urlencoded. This is the default behaviour in Rails. However, this enctype does not allow transmission of binary data (files). Would it not make sense to specify the enctype multipart/form-data by default instead? i.e. all the form_for helpers would add this enctype to the form tag, unless overriden by the developer. This

I''m currently writing a system that stores user-created documents. Each user belongs to a specific group, and the system supports multiple groups. The thing is, my users want to be able to hide pieces of a document from other groups. So for example, lets say Joe of team A has written this document: "Hello all, our secret plan is finally complete! <private>We will begin

Hi, ActiveRecord does not currently support tables that have only a primary key. This seems to be a needed feature as evidenced by the tickets: http://dev.rubyonrails.org/ticket/6187 http://dev.rubyonrails.org/ticket/6319 http://dev.rubyonrails.org/ticket/7877 The update case is easily fixed by just not running the query when there are no columns to update. But the create case is problematic

>From dcd47a609f4489bb37ce33ea1ce975bb2b3ab160 Mon Sep 17 00:00:00 2001 From: Hongli Lai (Phusion) <hongli at phusion.nl> Date: Mon, 6 Jun 2011 13:36:57 +0200 Subject: [PATCH] Document the method for building the Unicorn gem. Signed-off-by: Hongli Lai (Phusion) <hongli at phusion.nl> --- HACKING | 11 +++++++++++ 1 files changed, 11 insertions(+), 0 deletions(-) diff --git

303 (See Other) is the status code a resource returns to tell the client about the new resource it just created (typically after a POST). 301/302 is the status code some servers return to tell the browser where to go next. It works because browsers ignore the distinction and treat all three status codes the same way, and few people understand the difference. But when developing an application

Hello all, I get the following error when I stuff my seesion with more than 4k of data. CGI::Session::CookieStore::CookieOverflow My problem is that I obviously need a fatter session. How do other users by-pass the 4k restriction on session variables? Regards, John --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups

Can I get some +1s for this tiny patch? It fixes ActiveRecordHelper::form, which is broken by default in new applications created with Rails 2.0. http://dev.rubyonrails.org/ticket/10739 Jeremy --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Core" group. To post to this group, send email to

I''m trying to create a facebook application but I have no success. I either get one of those two errors depending on which revision of the plugin I use: CGI::Session::CookieStore::TamperedWithCookie (Using plugin from directory) or ActionView::TemplateError (Session key invalid or no longer valid) (Using plugin from a week ago or so). Has anyone successfully gotten an app that as to

Folks, I am trying to upgrade system from rails 1.3.x to 2.3.2 and getting this error - Status: 500 Internal Server Error ActionController::Session::CookieStore::CookieOverflow /usr/lib/ruby/gems/1.8/gems/actionpack-2.3.2/lib/action_controller/ session/cookie_store.rb:102:in `call'' /usr/lib/ruby/gems/1.8/gems/actionpack-2.3.2/lib/action_controller/ reloader.rb:9:in

I''m having problems trying to set up facebooker on a Rails 2.3.2 project using :active_record_store for cookies. The problem happens because of this commit: http://github.com/mmangino/facebooker/commit/308770447db06433e505aaf27db2614cee213cc2 That code is trying to add the Rack::Facebook to the dispatch chain after ActionController::RewindableInput or