You're absolutely right. Not anymore, though. I fixed in my cs-branch. Now it will save the data in three cookies: camping_blob, camping_hash and camping_time. The secure_blob_hasher includes the remote IP and the user agent, and it has also a timeout on 15 minutes (which can be overridden with @@state_timeout).
http://github.com/judofyr/camping/commits/cs On Sun, May 25, 2008 at 5:43 AM, _why <[EMAIL PROTECTED]> wrote: > On Sun, May 25, 2008 at 12:25:08AM +0200, Magnus Holm wrote: >> * The cookie session is named Camping::Session and is placed in >> camping/session.rb. Maybe this should be called Camping::CookieSession or??? > > You know, these cookie sessions seem like they could be a problem. > A lot of sessions would contain just the hash and the user name. > So, spoof the user name and you're in, you know? > > _why > _______________________________________________ > Camping-list mailing list > Camping-list@rubyforge.org > http://rubyforge.org/mailman/listinfo/camping-list > -- Magnus Holm _______________________________________________ Camping-list mailing list Camping-list@rubyforge.org http://rubyforge.org/mailman/listinfo/camping-list
