now I've pushed some more code into production and retested. In production mode I get a proper "Tampered with cookie" error. In development mode, it seems to be blissfully ignoring the fact that my session_secret_key has changed.
This isn't a serious security problem. Now I need to figure out how to deal with the production error. The default behavior of showing the end user a merb exception page isn't very interesting. What I want is to simply throw away the old cookie as it isn't actually tampered with. Jon On Jan 19, 3:10 pm, Jon Hancock <[email protected]> wrote: > As far as I can tell, there are VERY SERIOUS SECURITY problems lurking > in the most basic session and auth usage. > > I have posted a few bug reports on auth and cookies as well as a few > posts here. I have not received any response and cannot see any > progress on these issues. So either it means "I'm doing it wrong" or > "noone else is testing these aspects". I hope its the prior. > > In my latest experiments against merb 1.0.8, I find that if I change > the session_secret_key the old cookie still works. > I expect to have an invalid cookie if I do the following: > 1 - login to my app > 2 - shutdown merb > 3 - change the session_secret_key > 4 - restart merb > 5 - refresh my page. Results: I am still logged in and the > display_name and user_id stored in the old cookie is read just fine. > No db query being done, it is getting the data from the old cookie. > > Can anyone else verify this erroneous or correct behavior? Are there > some experts that would like to take a look at this with me? > > thanks, Jon --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "merb" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/merb?hl=en -~----------~----~----~----~------~----~------~--~---
