On Jul 29, 10:49 am, 7stud -- <li...@ruby-forum.com> wrote:
> The user goes on vacation for two weeks. While the user is on vacation,
> the malicious user gains access to the user's computer and inspects the
> cookies on the user's computer,
> and copies the token plus timestamp. The malicious user goes to his
> computer, creates a cookie with the copied token, and logs into the app.
> Won't the malicious user have free access to the user's account?
Sure, but at this point the user is pretty throughly pwned anyways -
there's no system that will protect the login here, short of ditching
the whole "persistent login" part and requiring the user to re-
autheticate on each visit.
--Matt Jones
--
You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group.
To post to this group, send email to rubyonrails-talk@googlegroups.com.
To unsubscribe from this group, send email to rubyonrails-talk+unsubscribe@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en.
No comments:
Post a Comment