On 3/22/07, Brad Ediger <[EMAIL PROTECTED]> wrote: > This was discussed earlier in the thread. The problem is that such a nonce > would require communication between the backend servers via DRb or the > database, which removes any benefit from storing the cookies client-side. > You might as well store the whole session in the database or DRb store.
Avoiding a single database lookup isn't the purpose of the cookie store. > As for the opt-in, if you're the type of user that would know enough about > security to opt in to such a plan, you're probably not storing account > balances in a client-side cookie. The discussion we are having concerns > sensible defaults. This discussion skipped plugging the session replay hole. I understand your concern, but I think you underestimate the average Rails developer. For example: to prevent user_id replay, store a last access timestamp in session that's updated on login and logout. jeremy --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Core" group. To post to this group, send email to rubyonrails-core@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/rubyonrails-core?hl=en -~----------~----~----~----~------~----~------~--~---
