Questions about rails 2.0

Hi, i’ve found some questions on the rails blog which haven’t any
answer. Because i’m interested too i paste them here:

gonzo on 07 Dec 22:10:

Does CSRF protection work with forms that are fully cached?

rugal on 08 Dec 20:14:

Great job guys!

Just an information about migrations.

will t.timestamps create both created_at and updated_at? And for _on ?
t.datestamps? and if i want to create just one of them?

t.datetime “created_at” ?

rugal on 08 Dec 20:21:

i forgot another thing… about the HTTP Basic Authentication. in the code
example there are both username and password set on the top of the
class: USER_NAME, PASSWORD = “dhh”, “secret”

authenticate_or_request_with_http_basic do |user_name, password|
user_name USER_NAME && password PASSWORD end

and in the method you check if are equals. with a user model everything
will be something like this?

authenticate_or_request_with_http_basic do |user_name, password| user =
User.find_by_nick(user_name) user && password == user.password end

(ok, in this case the password is not encrypted, but it’s just an
example :slight_smile: )

Last question, what changes with the normal authentication? is it better
using this by http? why?

thanks :slight_smile:

kgodel on 08 Dec 23:10:


You mention that the cookies are “in a hashed form that can’t be

Why should I believe you?

Since “forged” is a rather vague word do you mean collision resistant,
pre-image resistant, or 2nd pre-image resistant?

I haven’t glanced at all the code yet so I’ll assume your using some
version of SHA-2 and are aware of the collision vulnerabilities in MD5
and (the more difficult to generate) collision vulnerabilities in SHA-1.

Even so, “can’t be forged” sounds like snake oil, and is
incontrovertibly incorrect (given enough time and enough parallel

Anyone? :frowning:

I don’t know about the first question. (CSRF protection)

The second question is right, you need to do t.datetime :created_at to
create one of them. :created_at is favoured over created_on (imo)

Third one not a clue.

Fourth one wasn’t even structured as a question.

On Dec 10, 2007 5:07 AM, Mix M. [email protected]

rugal on 08 Dec 20:14:

will be something like this?
thanks :slight_smile:

Posted via

Ryan B.

This forum is not affiliated to the Ruby language, Ruby on Rails framework, nor any Ruby applications discussed here.

| Privacy Policy | Terms of Service | Remote Ruby Jobs