[Rails] sessions without cookies
Justin French
justin.french at indent.com.au
Wed Jan 5 07:26:06 GMT 2005
On 03/01/2005, at 2:31 PM, Tobias Luetke wrote:
> Currently, if users manage to get to the view shopping cart page with
> an empty shopping cart I tell them how to enable cookies.
>
> Session info in the URL are too dangerous for a shop i think. Someone
> might post a link to a product on a board and everyone following this
> link is logged with all user data available.
Well, from a business point of view, your client might say "it's too
dangerous to only rely on cookies, because I'll loose sales", which is
fair enough.
PHP's trans-sid stuff is pretty good at deciding if a link or form
needs to have the session ID appended, and the url_form link_to etc
functions could surely be extended to take care of this automatically.
> You can ip restrict sessions but that still leaves people behind big
> proxy servers vulnerable ( ie AOL ).
All you need to do is bind the session to *something* constant on the
client side... my current preferred method is to use the user agent
string (even if it's empty, it really should remain constant).
Tracking the IP address as well (and only resetting the session if both
change) would also be an option.
There's a bunch of other tricks in PHP which I'm sure apply to Rails as
well. I learnt most of my PHP/Session/Security stuff off Chris
Shifflet:
http://shiflett.org/articles/the-truth-about-sessions
http://shiflett.org/talks/phpworks2004/php-session-security
Sorry to drag the dirty acronym (PHP) in here, but perhaps all this can
be integrated into Rails?
---
Justin French, Indent.com.au
justin.french at indent.com.au
Web Application Development & Graphic Design
More information about the Rails
mailing list