Where the Ruby code that implements those tags (in the models
according to the tutorial) would check for the presence of certain
cookies. But from my initial experiments, I don’t have access to the
cookies variable in the model code.
I understand the security risks and I wasn’t going to use the cookie
directly as a means of verifying the user’s status. But I need the
cookie to at least tell me WHAT user is trying to access the site;
from there I can check the user name against some authentication
system to see if they have logged in.
So my question wasn’t in regards to the design of my authentication
system, but rather the means to access those variables where the tag
code is written. I would love to have access to all the HTTP header
variables, just need to know how
Matt H. said the following on 10/09/2007 09:54 PM:
Any ideas?
Why not make it generic and allow access to ANY HTTP header?
Add that to <r:if> …
All that useful stuff like remote host, address, port …
When it comes down to it, the cookie alone won’t tell you if the user is
validated. In fact that’s an assumption that will open up some security
holes
Try session_id and session_variable …
Actually, what I did for an e-commerce site was to have the session_id
plus
a time-stamp in the cookie in encrypted form - so that ‘time-out’ cold
be
done and so that the cookie wasn’t the same every exchange. (The
encryption
key had to change periodically as well which made it hairy!) The
session_id was not predictable - see how that is done TCP sequence
numbers
in late model kernels.
Some day I may get around to recoding this in Ruby/Rails …
But PLEASE!
Don’t code up something that is a security CFM and make your site a
target
for all manner of attacks and zombifications. Putting “isLoggedIn” or
equivilent (e.g. raw data or predictable session_id) in the cookie is a
real
security risk.