Forum: Ruby on Rails Experiences with ModelSecurity

Announcement (2017-05-07): www.ruby-forum.com is now read-only since I unfortunately do not have the time to support and maintain the forum any more. Please see rubyonrails.org/community and ruby-lang.org/en/community for other Rails- und Ruby-related community platforms.
Martin G. (Guest)
on 2006-05-17 23:59
(Received via mailing list)
Hiall,

I would be very interested in your opinions on the ModelSecurity
plugin by Bruce P..

http://perens.com/FreeSoftware/ModelSecurity/Tutorial.html

Some time ago, I read on a few pages that it is the way to go, on this
list however, I didn't read much about it. Apart from it's security
level,

quoted from comments in source code:
# FIX: At the moment we only support Basic authentication. It's
# prone to sniffing. Change to Digest authentication.

I am at the moment struggling with the fact that it stores the
complete User object in the session data. While this is generally a no
good idea, it's a real problem for me, as I have to deactivate and
reactivate user accounts in my app. I don't think session expiry
handling will be enough here ... I tried changing the code so that it
only stores the user_id and user_name in the session, however I didn't
get this to work so far ...

Any tips? Better authentication libs?

cheers
Martin
Steve K. (Guest)
on 2006-05-18 01:29
ModelSecurity hasn't been updated since November and doesn't seem to be
actively maintained. Bruce P. is a busy guy.

It has a nice API, but I ended up switching to something under active
development that used migrations for its database table creation.

Martin G. wrote:
> Hiall,
>
> I would be very interested in your opinions on the ModelSecurity
> plugin by Bruce P..
>
> http://perens.com/FreeSoftware/ModelSecurity/Tutorial.html
>
> Some time ago, I read on a few pages that it is the way to go, on this
> list however, I didn't read much about it. Apart from it's security
> level,
>
> quoted from comments in source code:
> # FIX: At the moment we only support Basic authentication. It's
> # prone to sniffing. Change to Digest authentication.
>
> I am at the moment struggling with the fact that it stores the
> complete User object in the session data. While this is generally a no
> good idea, it's a real problem for me, as I have to deactivate and
> reactivate user accounts in my app. I don't think session expiry
> handling will be enough here ... I tried changing the code so that it
> only stores the user_id and user_name in the session, however I didn't
> get this to work so far ...
>
> Any tips? Better authentication libs?
>
> cheers
> Martin
This topic is locked and can not be replied to.