(no subject)

Mirko_KiroviSS263 · October 10, 2007, 1:24am

How can I set a cookie from an extension?

I somehow can’t manage to get access to ApplicationController and as
soon as I add

request.cookies[‘lang’] = CGI::Cookie.new(‘name’ => ‘lang’, ‘value’ =>
‘sr’)

to ‘def activate’ in my_extension.rb the whole thing breaks down…

I need to set a cookie based on params[:lang]

Greets

  ____________________________________________________________________________________

Catch up on fall’s hot new shows on Yahoo! TV. Watch previews, get
listings, and more!
http://tv.yahoo.com/collections/3658

Mirko_KiroviSS263 · October 10, 2007, 3:37am

You need to create a controller filter that does that. You could do
something like this in the activate method of your extension:

ApplicationController.class_eval do
before_filter :set_language

def set_language
cookies[‘lang’] = ‘sr’ # or use params[:lang] here
end
end

Cheers,

Sean

Mirko_KiroviSS263 · October 10, 2007, 3:55am

How about accessing cookies from the model?

I basically want my application to have two tags:

<r:isLoggedIn> and <r:isLoggedOut>

Where the Ruby code that implements those tags (in the models
according to the tutorial) would check for the presence of certain
cookies. But from my initial experiments, I don’t have access to the
cookies variable in the model code.

Any ideas?

Mirko_KiroviSS263 · October 10, 2007, 4:01pm

Anton,

I understand the security risks and I wasn’t going to use the cookie
directly as a means of verifying the user’s status. But I need the
cookie to at least tell me WHAT user is trying to access the site;
from there I can check the user name against some authentication
system to see if they have logged in.

So my question wasn’t in regards to the design of my authentication
system, but rather the means to access those variables where the tag
code is written. I would love to have access to all the HTTP header
variables, just need to know how

Mirko_KiroviSS263 · October 10, 2007, 4:28am

Matt H. said the following on 10/09/2007 09:54 PM:

Any ideas?

Why not make it generic and allow access to ANY HTTP header?

Add that to <r:if> …

All that useful stuff like remote host, address, port …

When it comes down to it, the cookie alone won’t tell you if the user is
validated. In fact that’s an assumption that will open up some security
holes

Try session_id and session_variable …

Actually, what I did for an e-commerce site was to have the session_id
plus
a time-stamp in the cookie in encrypted form - so that ‘time-out’ cold
be
done and so that the cookie wasn’t the same every exchange. (The
encryption
key had to change periodically as well which made it hairy!) The
session_id was not predictable - see how that is done TCP sequence
numbers
in late model kernels.

Some day I may get around to recoding this in Ruby/Rails …

But PLEASE!
Don’t code up something that is a security CFM and make your site a
target
for all manner of attacks and zombifications. Putting “isLoggedIn” or
equivilent (e.g. raw data or predictable session_id) in the cookie is a
real
security risk.

http://www.rorsecurity.info/ - Ruby on Rails Security Project

http://www.owasp.org/index.php/OWASP_AppSec_FAQ - Gives good advice on
how
to design the login process.

http://rubythis.blogspot.com/2006/11/rails-security-checklist.html

http://www.quarkruby.com/2007/9/20/ruby-on-rails-security-guide

http://www.rorsecurity.info/2007/03/20/logingenerator-and-loginsugar-security-vulnerabilities/

–
Anton J Aylward, CISSP, CISA [email protected]
System Integrity
Minister in the Church of St Sysiphus The Perplexed,
The patron saint of InfoSec

Anton J Aylward, CISSP, CISA [email protected]
System Integrity
http://si.on.ca - System Integrity
http://infosecblog.antonaylward.com - The InfoSec Blog

–
Genius is one per cent inspiration, ninety-nine per cent perspiration.
Thomas A. Edison, Harper’s Monthly, 1932