I'm looking at page 162 in *Agile Web Development with Rails* and in there they do the following once they find that a user has logged in with the right name and password:
- - - def login if request.post? user = User.authenticate(params[:username], params[:password]) if user session[:user_id] = user.id redirect_to(:action => "index") else flash.now[:notice] = "Invalid user/password combination" end end end - - - The line that concerns me is session[:user_id] = user.id The authors write ######### The logni action will need to record something in session to say that an administrator is logged in. Let's have it store the id of their User object using the hey user.id. The login code looks like this: ######### Given that the session data is likely to be stored in cookies, and given that user.id is likely to be a relatively small number (less than a million) ... how secure is this as a flag to indicate that someone is an authorized user of a store??? Couldn't an unauthorized user create the session[:user_id] = user.id and then get access? -- Posted via http://www.ruby-forum.com/. -- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-t...@googlegroups.com. To unsubscribe from this group, send email to rubyonrails-talk+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en.