Comments on: Rails 2.0, cookie session store and security

By: 基于CookieStore的session存储机制的安全话题 - IceskYsl@1sters!

基于CookieStore的session存储机制的安全话题 - IceskYsl@1sters! — Tue, 03 Jan 2012 16:14:50 +0000

[...] 最近在看一本《The Rails way》的书，其中关于session存贮机制一章中，对基于CookieStore的session存储机制持否定态度，认为其存在被破解和Replay attack的可能。就我了解的信息来看，这个观点是不妥的。最详细的一篇文章是写的laigongli写的这篇“Rails 2.0, cookie session store and security”，文章比较长，说的很详细，感兴趣的可以过去看看。其中主要观点为： [...]

By: rtg

rtg — Thu, 10 Jul 2008 10:01:31 +0000

Is it right that the crazy side effect on this is that the default app issues the same cookie id to all anonymous users?
I took LovedByLess switched to cookie store and issues exactly the same session id to all users on the same machine…
thx rtg

By: Sligo

Sligo — Fri, 21 Dec 2007 04:41:27 +0000

I am starting to warm up to the idea. I guess the important thing to remember is that you definitely have a choice, and for folks to get bent out of shape over the DEFAULT session mechanism is a bit extreme. We still have lots of options, and if people didn’t shake up things once in a while, we would never have progress…

By: simplificator » Blog Archive » Rails 2.0 and Session Cookie Store

simplificator » Blog Archive » Rails 2.0 and Session Cookie Store — Tue, 18 Dec 2007 13:51:01 +0000

[...] A long article with some mathematical background (it is insecure because of a flawed random generator) [...]

By: Pascal

Pascal — Tue, 18 Dec 2007 13:30:06 +0000

Thanks for the detailed information!

“Is session based cookie store a good thing?”: as usual in CS the answer is “it depends!”

It depends on your applications security requirements. I would not recommend it for an application dealing with private data (i.e. medical records or email) or lots of money (think e-banking). But for applications with less strict security requirements: the benefits might outweigh the risks.

But I agree: It just does not feel right

Pascal

P.s. Don’t tell anyone that I have a Post-It with the root password under my keyboard in my unlocked office.

By: Sligo

Sligo — Sat, 08 Dec 2007 05:25:32 +0000

Ok Adam, you win. don’t use cookie based session storage with your ajax site. I won’t be using it either, and in general I am not a fan of sending cached data back and forth. seems wasteful to me. I assume the id generation will be patched, but even after that, i wont be able to sleep well at night knowing that i am bouncing session data back and forth between my clients and my servers simply because I suddenly have no regard for bandwidth… (Not a fan of viewstate either, but I would choose that in a heartbeat over this)

By: Adam Fields

Adam Fields — Wed, 28 Nov 2007 19:43:27 +0000

Yes, but not compared to the size of the average XMLHttpRequest call, which really depends on being as fast as possible.

By: Hongli

Hongli — Wed, 28 Nov 2007 16:59:54 +0000

That is correct. That’s why it isn’t a good thing to store a lot of data in it (it never was in the first place). Though I think the session data size is neglible compared to the size of the average web page.

By: Adam Fields

Adam Fields — Wed, 28 Nov 2007 16:55:09 +0000

It may not seem like a lot of data, but the cookies get sent back to the server with every request, including every XMLHttpRequest. If you’re storing a lot of info in the session, your roundtrip times are going to start to “mysteriously” lag.

By: a work on process » links for 2007-11-27

a work on process » links for 2007-11-27 — Tue, 27 Nov 2007 04:21:20 +0000

[...] 赖洪礼的 blog » Rails 2.0, cookie session store and security Looking at the security implications of the new session storage which becomes the default in Rails 2.0 (tags: cookies rubyonrails security sessions) [...]