On Jul 29, 2011, at 3:07 PM, 7stud -- wrote:
> Walter Davis wrote in post #1013792:
>> The only way we have determined that this is possible is with
>> physical
>> access to the computer.
>>
>
> Are you saying that the malicious user can only gain access to the
> user's account while using the user's computer? Or, is it true that
> once the malicious user has a copy of the cookie, he can access the
> account from any computer?
>
>
>
>> As in any security scheme, that pretty well
>> trumps anything that doesn't rely on the user logging in every time,
>> and time-limited sessions.
>>
>
> I wasn't critiquing rails, I was trying to understand why the author
> of
> the book said the persistent session was impervious to attack--after
> himself raising the specter of a malicious user gaining access to the
> user's computer. His explanation didn't make sense to me.
In answer to both of your questions, I was saying that physical access
to a computer where the user has checked the "remember me" option
completely trumps the security system. The computer becomes the key to
the lock, so if you steal that key... Which is another good reason to
always include a password lock on your screensaver, and disable any
auto-login convenience features. Especially on a laptop, but even on a
desktop that isn't in a locked room.
As far as a copy of the cookie being useful, I'm not sure I can
comment. I think that it would work up until the point where the real
user logged in again, and the fact that the user *had* to log in again
might worry/alert a suitably clueful user that their remember me
cookie had changed. But I can't say definitively, because I don't know
what all goes into the cryptographic signature of the remember me
cookie. If it's something based on the individual browser, then it
seems likely to me that it might fail on a different browser.
Walter
>
> --
> Posted via http://www.ruby-forum.com/.
>
> --
> You received this message because you are subscribed to the Google
> Groups "Ruby on Rails: Talk" group.
> To post to this group, send email to rubyonrails-
> talk@googlegroups.com.
> To unsubscribe from this group, send email to rubyonrails-talk+unsubscribe@googlegroups.com
> .
> For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en
> .
>
--
You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group.
To post to this group, send email to rubyonrails-talk@googlegroups.com.
To unsubscribe from this group, send email to rubyonrails-talk+unsubscribe@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en.
No comments:
Post a Comment