similar to: Can the session be trusted for Username/password?

Dear Rails community, As part of a programming languages/security research group at the University of Maryland, we are building some static analysis tools for Rails applications. These tools work by taking formally specified properties of interest, and then analyzing code to verify that those properties indeed hold. Using these tools, we found some security vulnerabilities in Rails, and we would

I''m going to explicitly time out sessions if they''re idle more than X minutes. Like online banking sites do. How do I set things up so that, when a session expires, a set of database records and a set of files that may have been created (which are identified via a seperate set of database records) are deleted just before the session data? TIA, Bill

My code that acts if a session has timed out looks like this: reset_session session[:expires_at] = nil # TODO - This flash is never shown, because we redirect maybe? flash[:error] = ''Your session has timed out, please login to continue.'' # An attempt to make flash stick around, not working flash.keep redirect_to :controller => ''security'',

Guys, I''m frankly overwhelmed by the number of Rails authentication options(?) out there...from ActiveRBAC to acts_as_authenticated to LoginEngine and so on...so many options, yet on resource I''ve found really distinguishes between each. This is sad, as authentication and user management is really an area where some Rails simplicity pixie dust could be a real boon to

I am using the following code (inspired by one of the books) to check if the user''s session should have timed out. # Check to see if the user has been inactive for longer than the # expiry period. If they have, reset the session. def check_timeout if session[:expires_at] != nil @time_left = (session[:expires_at] - Time.now).to_i unless @time_left > 0

Hi, I'd like to better understand the merits of NUT clients (slaves) properly authenticating with the NUT server (master). NUT allows clients to retrieve UPS status (upsc ups at 10.10.10.1) without authenticating, shutdowns are properly trigger via polling. From testing one apparent benefit of authenticating is the client receives the shutdown event more quickly rather than the polling

In another thread on this list, various wild allegations have been made, relating to the New York Times article on R. I object both to the subject line and to the content of several of the messages, and will not repeat or quote any of that content. It smacks to me of mischief making. Discussion has centered around the following quote from the NY Times article: ?According to them, the

All, Version 1.0.8 of the salted hash login generator is available. This contains a few minor bug fixes with the generator plus some README clarifications. If you are successfully running with the code already, you probably do not need this. Joe

There''s got to be a simple answer to this... def logout reset_session flash[:notice] = "Logged out" redirect_to :action => ''index'' end The flash never shows up, and doesn''t seem to be in the new session. --Al Evans -- Posted via http://www.ruby-forum.com/.

Hello, Some mischief happened and I have been asked if I can find out who was logged into their computers within a specific off-hours time frame. My logs for that time frame happened to be running at debug level 3, so I have been looking through them and trying to figure out how to recognize a workstation login. I find lines beginning with auth_check_password_send that seem like reasonably good

On Jan 9, 2014, at 4:00 PM, Lonnie Abelbeck wrote: > Hi, > > I'd like to better understand the merits of NUT clients (slaves) properly authenticating with the NUT server (master). > > NUT allows clients to retrieve UPS status (upsc ups at 10.10.10.1) without authenticating, shutdowns are properly trigger via polling. > > From testing one apparent benefit of

Hi, In my user_controller.rb, I have the following method, which is supposed to send the user to their profile, dependng on what "role" they are (the roles correspond to the other controllers: venue, band, fan): def login if request.post? if session[:user_id] = User.authenticate(params[:user][:login], params[:user][:password]) flash[:message] =

I''m trying to use counter_cache, but I''m not doing something right. It is unreliable and I keep having to correct it manually. Is there a good tutorial or reference on how to use it on-line? I have the AWDR book, but I need something more complete. TIA, Jeffrey

Hello, I''m working through the tutorial, and I''ve run into a little snag. In the first part of the tutorial, the destroy link is not working correctly. I can''t figure out where I goofed. Removing :confirm doesn''t seem to resolve the issue. Thanks, Randy. development.log ----->8----- Processing AdminController#destroy (for 127.0.0.1 at 2006-04-27

I do not seem to understad what this error is about. Some body help. wrong number of arguments (1 for 2) RAILS_ROOT: C:/INSTAN~1/rails_apps/project/config/.. Application Trace | Framework Trace | Full Trace #{RAILS_ROOT}/app/controllers/user_controller.rb:10:in `authenticate'' #{RAILS_ROOT}/app/controllers/user_controller.rb:10:in `process_login''

hi list, how to iterate over the Session object to reset all session keys (after a logout for example) session[''something'']=nil session[''another_key'']=nil ... is there something like session.keys{|aSessionKey| session[aSessionKey]=nil} ? thanks arnaud

Hi Everyone, I''m trying to formulate my thoughts on how views work in RoR and I understand the basic bits - 1. Every controller has its own view defined using rhtml files in the views/[controller_name] folder. 2. There is one "view" file (rhtml) for every in the controller and has the same name as the method. 3. For portions that are common, partials can be used - file

Hi, I''m trying to follow the "AWDR" example of storing certain types of numbers (in my case, percentages not money) as integers in the database. I understand from the Depot application how to format the output to have 2 places (or n places for that matter) decimal. Now, I"m wondering about the input. It''s more natural for people to enter numbers as

Ist there a possibility on MacOSX to import Graphics into MSOffice Applications and resize them there without decreased quality? When I import via copy&paste I get low quality bitmaps and via import pictures (pdf) it is all the same. In the Windows versions of R there is the convienient way to use metafile format which can easily be resized in ppt and word. What is the equivalent way on

I am writting a web service for authenitcation of users and was using web_service_scaffold :invoke for testing it out...and was able to consume it using .NET. But my question is, whats the simplest method using which i can use the same web service in the current Web App. I mean, not from an external application or something but from the current web apps itself. I found one method in AWDR, and