Hi, i’ve found some questions on the rails blog which haven’t any
answer. Because i’m interested too i paste them here:
gonzo on 07 Dec 22:10:
Does CSRF protection work with forms that are fully cached?
rugal on 08 Dec 20:14:
Great job guys!
Just an information about migrations.
will t.timestamps create both created_at and updated_at? And for _on ?
t.datestamps? and if i want to create just one of them?
t.datetime â€œcreated_atâ€ ?
rugal on 08 Dec 20:21:
i forgot another thingâ€¦ about the HTTP Basic Authentication. in the code
example there are both username and password set on the top of the
class: USER_NAME, PASSWORD = â€œdhhâ€, â€œsecretâ€
authenticate_or_request_with_http_basic do |user_name, password|
user_name USER_NAME && password PASSWORD end
and in the method you check if are equals. with a user model everything
will be something like this?
authenticate_or_request_with_http_basic do |user_name, password| user =
User.find_by_nick(user_name) user && password == user.password end
(ok, in this case the password is not encrypted, but itâ€™s just an
Last question, what changes with the normal authentication? is it better
using this by http? why?
kgodel on 08 Dec 23:10:
You mention that the cookies are â€œin a hashed form that canâ€™t be
Why should I believe you?
Since â€œforgedâ€ is a rather vague word do you mean collision resistant,
pre-image resistant, or 2nd pre-image resistant?
I havenâ€™t glanced at all the code yet so Iâ€™ll assume your using some
version of SHA-2 and are aware of the collision vulnerabilities in MD5
and (the more difficult to generate) collision vulnerabilities in SHA-1.
Even so, â€œcanâ€™t be forgedâ€ sounds like snake oil, and is
incontrovertibly incorrect (given enough time and enough parallel