pharrington wrote: > Sounds like you're thinking of a nonce > http://en.wikipedia.org/wiki/Cryptographic_nonce, > and if course, implementing one to secure your sessions would > require... no changes to any protocols at all. However, implementing > it is nowhere close to trivial; you need to be fairly certain that no > nonce is ever reused in the lifespan of your application, that the > multiple running instances of your application don't send the same > nonce at the same time, and you need to keep in mind that the same app > instance that issued a nonce might not be the same one that has to > check it. A minute or so of googling finds no nonce session enabling > Rails plugins, so if you ever are in the situation where this is a > real concern, you'll probably have to roll your own solution :\
Yes, and besides all this, what is the point of worrying about session key encryption, when all you need is to enforce use of SSL/TLS. Doing so makes all this complication go away. If one is passing sensitive information over a public wire in the clear, then session highjacking becomes a minor issue in comparison. There's no point in reinventing this wheel. Experts far smarter than most of use have already solved this problem with SSL/TLS. -- Posted via http://www.ruby-forum.com/. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk@googlegroups.com To unsubscribe from this group, send email to rubyonrails-talk+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---