encrypted_cookie_store-instructure 1.0.0 → 1.0.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
data/README.markdown CHANGED
@@ -66,7 +66,8 @@ EncryptedCookieStore vs other session stores
66
66
  EncryptedCookieStore inherits all the benefits of CookieStore:
67
67
 
68
68
  * It works out of the box without the need to setup a seperate data store (e.g. database table, daemon, etc).
69
- * It does not require any maintenance. Old, stale sessions do not need to be manually cleaned up, as is the case with PStore and ActiveRecordStore.
69
+ * It does not require any maintenance. Old, stale sessions do not need to be manually cleaned up, as is the
70
+ case with PStore and ActiveRecordStore.
70
71
  * Compared to MemCacheStore, EncryptedCookieStore can "hold" an infinite number of sessions at any time.
71
72
  * It can be scaled across multiple servers without any additional setup.
72
73
  * It is fast.
@@ -74,5 +75,16 @@ EncryptedCookieStore inherits all the benefits of CookieStore:
74
75
 
75
76
  There are of course drawbacks as well:
76
77
 
77
- * You can store at most a little less than 4 KB of data in the session because that's the size limit of a cookie. "A little less" because EncryptedCookieStore also stores a small amount of bookkeeping data in the cookie.
78
- * Although encryption makes it more secure than CookieStore, there's still a chance that a bug in EncryptedCookieStore renders it insecure. We welcome everyone to audit this code. There's also a chance that weaknesses in AES are found in the near future which render it insecure. If you are storing *really* sensitive information in the session, e.g. social security numbers, or plans for world domination, then you should consider using ActiveRecordStore or some other server-side store.
78
+ * It is prone to session replay attacks. These kind of attacks are explained in the
79
+ [Ruby on Rails Security Guide](http://guides.rubyonrails.org/security.html#session-storage). Therefore you
80
+ should never store anything along the lines of `is_admin` in the session. EncryptedCookieStore does
81
+ improve on CookieStore in reducing the amount of time allowed for a replay attack to the :expire_after value,
82
+ instead of forever, but is still weaker than a server side session with an accompanying cookie that allows
83
+ re-establishment of a session, but not replay of the session contents.
84
+ * You can store at most a little less than 4 KB of data in the session because that's the size limit of a
85
+ cookie. "A little less" because EncryptedCookieStore also stores a small amount of bookkeeping data in the cookie.
86
+ * Although encryption makes it more secure than CookieStore, there's still a chance that a bug in
87
+ EncryptedCookieStore renders it insecure. We welcome everyone to audit this code. There's also a chance that
88
+ weaknesses in AES are found in the near future which render it insecure. If you are storing *really* sensitive
89
+ information in the session, e.g. social security numbers, or plans for world domination, then you should
90
+ consider using ActiveRecordStore or some other server-side store.
@@ -1,6 +1,6 @@
1
1
  Gem::Specification.new do |s|
2
2
  s.name = %q{encrypted_cookie_store-instructure}
3
- s.version = "1.0.0"
3
+ s.version = "1.0.1"
4
4
 
5
5
  s.authors = ["Cody"]
6
6
  s.date = %q{2012-05-11}
@@ -99,22 +99,22 @@ private
99
99
  @data_cipher.iv = iv
100
100
  session_data = @data_cipher.update(encrypted_session_data) << @data_cipher.final
101
101
  session_data = inflate(session_data) if compressed
102
- return [nil, nil] unless digest == OpenSSL::HMAC.digest(OpenSSL::Digest::Digest.new(@digest), secret, session_data + timestamp.to_s)
102
+ return [nil, nil, nil] unless digest == OpenSSL::HMAC.digest(OpenSSL::Digest::Digest.new(@digest), secret, session_data + timestamp.to_s)
103
103
  if @expire_after
104
- return [nil, nil] unless timestamp
105
- return [nil, timestamp] unless Time.now.utc.to_i - timestamp < @expire_after
104
+ return [nil, nil, nil] unless timestamp
105
+ return [nil, nil, timestamp] unless Time.now.utc.to_i - timestamp < @expire_after
106
106
  end
107
107
  [Marshal.load(session_data), session_data, timestamp]
108
108
  else
109
- [nil, nil]
109
+ [nil, nil, nil]
110
110
  end
111
111
  else
112
- [nil, nil]
112
+ [nil, nil, nil]
113
113
  end
114
114
  rescue Zlib::DataError
115
- [nil, nil]
115
+ [nil, nil, nil]
116
116
  rescue OpenSSLCipherError
117
- [nil, nil]
117
+ [nil, nil, nil]
118
118
  end
119
119
 
120
120
  def all_unpacked_cookie_data(env)
metadata CHANGED
@@ -1,13 +1,13 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: encrypted_cookie_store-instructure
3
3
  version: !ruby/object:Gem::Version
4
- hash: 23
4
+ hash: 21
5
5
  prerelease:
6
6
  segments:
7
7
  - 1
8
8
  - 0
9
- - 0
10
- version: 1.0.0
9
+ - 1
10
+ version: 1.0.1
11
11
  platform: ruby
12
12
  authors:
13
13
  - Cody
@@ -15,8 +15,7 @@ autorequire:
15
15
  bindir: bin
16
16
  cert_chain: []
17
17
 
18
- date: 2012-05-11 00:00:00 -06:00
19
- default_executable:
18
+ date: 2012-05-11 00:00:00 Z
20
19
  dependencies: []
21
20
 
22
21
  description: A secure version of Rails' built in CookieStore
@@ -32,7 +31,6 @@ files:
32
31
  - README.markdown
33
32
  - lib/encrypted_cookie_store.rb
34
33
  - encrypted_cookie_store-instructure.gemspec
35
- has_rdoc: true
36
34
  homepage: http://github.com/ccutrer/encrypted_cookie_store
37
35
  licenses: []
38
36
 
@@ -62,9 +60,10 @@ required_rubygems_version: !ruby/object:Gem::Requirement
62
60
  requirements: []
63
61
 
64
62
  rubyforge_project:
65
- rubygems_version: 1.5.3
63
+ rubygems_version: 1.8.24
66
64
  signing_key:
67
65
  specification_version: 3
68
66
  summary: EncryptedCookieStore for Ruby on Rails 2.3
69
67
  test_files: []
70
68
 
69
+ has_rdoc: