Sign in through GitHub

Please read for an updated status on RailsCasts:

Learn more or hide this

Gabriel Oliveira's Profile

GitHub User: gabrielso

Site: http://www.caelum.com.br

Comments by Gabriel Oliveira

Avatar

disclaimer: the cookie injection code is only an example.

Avatar

The :auth_token is "text plain" accessible in the cookie (since signing it would not help), capturing it would give access (a valid current_user) to any one who knows how to inject it later, no need to a password-based authorization process... wouldn't be wise to generate a new :auth_token for the current_user and save it before SessionsController#destroy?

(e.g.: you can inspect the cookie once and then later in any javascript console -> document.cookie("auth_token=7h3$u53r&H45H"); )

-> Kind of have no time to read all the comments, sorry if the subject have already been discussed.