is there a way that, our application can understand wheteher the session id sent from the browser is forged or created by rails? I understand that if the attacker guesses session id, theres nothing we can do about it; but can we understand if he/she is trying to guess by creating random session ids.
on 2005-12-25 13:33
on 2005-12-25 21:07
Can't we just pass another unique key as a pair to validate the session? It'd be much harder to randomly guess two matching keys. That would be my simple solution. ---------------------------------------- Jim J. "A trustworthy individual." www.DontTrustThisGuy.com (480) 235-5201
on 2005-12-25 21:52
Jim J. wrote: > Can't we just pass another unique key as a pair to validate the > session? It'd be much harder to randomly guess two matching keys. > That would be my simple solution. In principle there is no difference between one key and two keys, using two keys is the same as doubling the key length. But this is not necessary, the chance that someone can guess the 64 bits of the Rails session ID is virtually zero.
on 2005-12-26 07:23
How about keep the session id in the session itself. Then compare with what ever the browser send back. This way, we can verify it. However, I don't know it actually works. Never try. Tom