As far as I can tell, there are VERY SERIOUS SECURITY problems lurking in the most basic session and auth usage.
I have posted a few bug reports on auth and cookies as well as a few posts here. I have not received any response and cannot see any progress on these issues. So either it means "I'm doing it wrong" or "noone else is testing these aspects". I hope its the prior. In my latest experiments against merb 1.0.8, I find that if I change the session_secret_key the old cookie still works. I expect to have an invalid cookie if I do the following: 1 - login to my app 2 - shutdown merb 3 - change the session_secret_key 4 - restart merb 5 - refresh my page. Results: I am still logged in and the display_name and user_id stored in the old cookie is read just fine. No db query being done, it is getting the data from the old cookie. Can anyone else verify this erroneous or correct behavior? Are there some experts that would like to take a look at this with me? thanks, Jon --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "merb" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/merb?hl=en -~----------~----~----~----~------~----~------~--~---
