On Jul 29, 8:07 pm, 7stud -- <li...@ruby-forum.com> wrote:
> Walter Davis wrote in post #1013792:
>
> > The only way we have determined that this is possible is with physical
> > access to the computer.
>
> Are you saying that the malicious user can only gain access to the
> user's account while using the user's computer? Or, is it true that
> once the malicious user has a copy of the cookie, he can access the
> account from any computer?
>
In the scheme you've outlined, I think it would work from any
computer. It could be extended though. I once implemented a scheme
whereby the ip address was part of the cryptographically signed info
so that the persistent cookie was valid only from that ip address
(obviously this has some limitations/problems too)
Frdd
> > As in any security scheme, that pretty well
> > trumps anything that doesn't rely on the user logging in every time,
> > and time-limited sessions.
>
> I wasn't critiquing rails, I was trying to understand why the author of
> the book said the persistent session was impervious to attack--after
> himself raising the specter of a malicious user gaining access to the
> user's computer. His explanation didn't make sense to me.
>
> --
> Posted viahttp://www.ruby-forum.com/.
--
You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group.
To post to this group, send email to rubyonrails-talk@googlegroups.com.
To unsubscribe from this group, send email to rubyonrails-talk+unsubscribe@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en.
No comments:
Post a Comment