[Rails] Re: sessions and security?

On Jul 29, 5:41 pm, 7stud -- <li...@ruby-forum.com> wrote:
> Frederick Cheung wrote in post #1013777:
>
> > Another important thing is that the data in the session store is
> > cryptographically signed - if you tamper with the cookie data then it
> > won't match the signature in the coookie
>
> I don't see how that is relevant.  It doesn't matter what's in a cookie
> if someone copies the cookie.   Cryptographically altering the id 1,
> just makes it hard to guess the cookie.   But in my scenario, the
> malicious user copies the cookie, so it doesn't matter if the cookie
> data is 'red' or 'XADFASDFASDFSADFASDFASDFASDF521374129348712398".
>

Just above you wrote (or quoted) "Okay, so the spoofer can guess a
user id, e.g. 1, and create a cookie
with that id, " and I'm saying that you can't spoof tails session
cookies like that.

> > Again guessing because I don't know which tutorial you are talking
> > about, but I believe the pattern being discussed is one where whenever
> > the user logs in then the permanent token is replaced (and so any old/
> > previously stolen tokens stop working). So you can still steal browser
> > cookies but they will only be useful until the user next logs in. If
> > the user's token is invalid then they can sign in using their username
> > and password.
>
> Ah, I see.  So the malicious user will have access to the account until
> the user returns from vacation.  Then when the user visits the website,
> rails won't recognize him as a signed in user--but the user can still
> sign in with his name and password to gain access to the account.
> Subsequently, the malicious user's cookie won't work because of an
> invalid timestamp, and he won't be able to access the account anymore.
> However, what prevents the malicious user from changing the password,
> and permanently hijacking the account?

Most websites require you to supply the existing password to change a
password.

Fred

>
> --
> Posted viahttp://www.ruby-forum.com/.

--
You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group.
To post to this group, send email to rubyonrails-talk@googlegroups.com.
To unsubscribe from this group, send email to rubyonrails-talk+unsubscribe@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en.