GitHub User: yfujiki
-
watch on iTunes
-
follow on Twitter
-
follow on Facebook
-
subscribe to RSS feed
watch on iTunes
follow on Twitter
follow on Facebook
subscribe to RSS feed
My bad. I didn't know that Rails3 session cookies are tamper proof... Wow, that makes my life really easy!
Hello Ryan. Thank you for great tutorials! :)
I didn't quite get this comment though. Isn't it what session hijacking is about?
I may be misunderstanding your comment, so please correct me if my basic understanding about the security design is wrong.
If some malicious people gets user_id, he can create a request with session[:user_id] to by-pass login. So, it is always better to use SSL to avoid session cookies to be sniffed out.
To enhance the security further in highly sensitive system, it would be better to use a session id that changes its value according to the login time (unlike user_id)