On 3/21/07, S. Robert James <[EMAIL PROTECTED]> wrote: > I'm concerned about the possibility of replay attacks with cookie > sessions. This is a standard security issue. > > Example: > 1. User receives credits, stored in his session > 2. User buys something > 3. User gets his new, lower credits stored in his session > 4. Evil hacker takes his saved cookie from step #1 and pastes it back > in his browser's cookie jar. Now he's gotten his credits back.
Interesting, I hadn't considered that scenario. > This is normally solved using something called nonce - each signing > includes a once only code, and the signer keeps track of all of the > codes, and rejects any message with the code repeated. But that's > very hard to do here, since there may be several app servers > (mongrels). This sounds like something you could perform at the application level. jeremy --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Core" group. To post to this group, send email to rubyonrails-core@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/rubyonrails-core?hl=en -~----------~----~----~----~------~----~------~--~---
