Where the Ruby code that implements those tags (in the models
according to the tutorial) would check for the presence of certain
cookies. But from my initial experiments, I don’t have access to the
cookies variable in the model code.
I understand the security risks and I wasn’t going to use the cookie
directly as a means of verifying the user’s status. But I need the
cookie to at least tell me WHAT user is trying to access the site;
from there I can check the user name against some authentication
system to see if they have logged in.
So my question wasn’t in regards to the design of my authentication
system, but rather the means to access those variables where the tag
code is written. I would love to have access to all the HTTP header
variables, just need to know how
Matt H. said the following on 10/09/2007 09:54 PM:
Why not make it generic and allow access to ANY HTTP header?
Add that to <r:if> …
All that useful stuff like remote host, address, port …
When it comes down to it, the cookie alone won’t tell you if the user is
validated. In fact that’s an assumption that will open up some security
Try session_id and session_variable …
Actually, what I did for an e-commerce site was to have the session_id
a time-stamp in the cookie in encrypted form - so that ‘time-out’ cold
done and so that the cookie wasn’t the same every exchange. (The
key had to change periodically as well which made it hairy!) The
session_id was not predictable - see how that is done TCP sequence
in late model kernels.
Some day I may get around to recoding this in Ruby/Rails …
Don’t code up something that is a security CFM and make your site a
for all manner of attacks and zombifications. Putting “isLoggedIn” or
equivilent (e.g. raw data or predictable session_id) in the cookie is a