encrypted_cookie_store-instructure 1.0.0 → 1.0.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- data/README.markdown +15 -3
- data/encrypted_cookie_store-instructure.gemspec +1 -1
- data/lib/encrypted_cookie_store.rb +7 -7
- metadata +6 -7
data/README.markdown
CHANGED
@@ -66,7 +66,8 @@ EncryptedCookieStore vs other session stores
|
|
66
66
|
EncryptedCookieStore inherits all the benefits of CookieStore:
|
67
67
|
|
68
68
|
* It works out of the box without the need to setup a seperate data store (e.g. database table, daemon, etc).
|
69
|
-
* It does not require any maintenance. Old, stale sessions do not need to be manually cleaned up, as is the
|
69
|
+
* It does not require any maintenance. Old, stale sessions do not need to be manually cleaned up, as is the
|
70
|
+
case with PStore and ActiveRecordStore.
|
70
71
|
* Compared to MemCacheStore, EncryptedCookieStore can "hold" an infinite number of sessions at any time.
|
71
72
|
* It can be scaled across multiple servers without any additional setup.
|
72
73
|
* It is fast.
|
@@ -74,5 +75,16 @@ EncryptedCookieStore inherits all the benefits of CookieStore:
|
|
74
75
|
|
75
76
|
There are of course drawbacks as well:
|
76
77
|
|
77
|
-
*
|
78
|
-
|
78
|
+
* It is prone to session replay attacks. These kind of attacks are explained in the
|
79
|
+
[Ruby on Rails Security Guide](http://guides.rubyonrails.org/security.html#session-storage). Therefore you
|
80
|
+
should never store anything along the lines of `is_admin` in the session. EncryptedCookieStore does
|
81
|
+
improve on CookieStore in reducing the amount of time allowed for a replay attack to the :expire_after value,
|
82
|
+
instead of forever, but is still weaker than a server side session with an accompanying cookie that allows
|
83
|
+
re-establishment of a session, but not replay of the session contents.
|
84
|
+
* You can store at most a little less than 4 KB of data in the session because that's the size limit of a
|
85
|
+
cookie. "A little less" because EncryptedCookieStore also stores a small amount of bookkeeping data in the cookie.
|
86
|
+
* Although encryption makes it more secure than CookieStore, there's still a chance that a bug in
|
87
|
+
EncryptedCookieStore renders it insecure. We welcome everyone to audit this code. There's also a chance that
|
88
|
+
weaknesses in AES are found in the near future which render it insecure. If you are storing *really* sensitive
|
89
|
+
information in the session, e.g. social security numbers, or plans for world domination, then you should
|
90
|
+
consider using ActiveRecordStore or some other server-side store.
|
@@ -99,22 +99,22 @@ private
|
|
99
99
|
@data_cipher.iv = iv
|
100
100
|
session_data = @data_cipher.update(encrypted_session_data) << @data_cipher.final
|
101
101
|
session_data = inflate(session_data) if compressed
|
102
|
-
return [nil, nil] unless digest == OpenSSL::HMAC.digest(OpenSSL::Digest::Digest.new(@digest), secret, session_data + timestamp.to_s)
|
102
|
+
return [nil, nil, nil] unless digest == OpenSSL::HMAC.digest(OpenSSL::Digest::Digest.new(@digest), secret, session_data + timestamp.to_s)
|
103
103
|
if @expire_after
|
104
|
-
return [nil, nil] unless timestamp
|
105
|
-
return [nil, timestamp] unless Time.now.utc.to_i - timestamp < @expire_after
|
104
|
+
return [nil, nil, nil] unless timestamp
|
105
|
+
return [nil, nil, timestamp] unless Time.now.utc.to_i - timestamp < @expire_after
|
106
106
|
end
|
107
107
|
[Marshal.load(session_data), session_data, timestamp]
|
108
108
|
else
|
109
|
-
[nil, nil]
|
109
|
+
[nil, nil, nil]
|
110
110
|
end
|
111
111
|
else
|
112
|
-
[nil, nil]
|
112
|
+
[nil, nil, nil]
|
113
113
|
end
|
114
114
|
rescue Zlib::DataError
|
115
|
-
[nil, nil]
|
115
|
+
[nil, nil, nil]
|
116
116
|
rescue OpenSSLCipherError
|
117
|
-
[nil, nil]
|
117
|
+
[nil, nil, nil]
|
118
118
|
end
|
119
119
|
|
120
120
|
def all_unpacked_cookie_data(env)
|
metadata
CHANGED
@@ -1,13 +1,13 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: encrypted_cookie_store-instructure
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
hash:
|
4
|
+
hash: 21
|
5
5
|
prerelease:
|
6
6
|
segments:
|
7
7
|
- 1
|
8
8
|
- 0
|
9
|
-
-
|
10
|
-
version: 1.0.
|
9
|
+
- 1
|
10
|
+
version: 1.0.1
|
11
11
|
platform: ruby
|
12
12
|
authors:
|
13
13
|
- Cody
|
@@ -15,8 +15,7 @@ autorequire:
|
|
15
15
|
bindir: bin
|
16
16
|
cert_chain: []
|
17
17
|
|
18
|
-
date: 2012-05-11 00:00:00
|
19
|
-
default_executable:
|
18
|
+
date: 2012-05-11 00:00:00 Z
|
20
19
|
dependencies: []
|
21
20
|
|
22
21
|
description: A secure version of Rails' built in CookieStore
|
@@ -32,7 +31,6 @@ files:
|
|
32
31
|
- README.markdown
|
33
32
|
- lib/encrypted_cookie_store.rb
|
34
33
|
- encrypted_cookie_store-instructure.gemspec
|
35
|
-
has_rdoc: true
|
36
34
|
homepage: http://github.com/ccutrer/encrypted_cookie_store
|
37
35
|
licenses: []
|
38
36
|
|
@@ -62,9 +60,10 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
62
60
|
requirements: []
|
63
61
|
|
64
62
|
rubyforge_project:
|
65
|
-
rubygems_version: 1.
|
63
|
+
rubygems_version: 1.8.24
|
66
64
|
signing_key:
|
67
65
|
specification_version: 3
|
68
66
|
summary: EncryptedCookieStore for Ruby on Rails 2.3
|
69
67
|
test_files: []
|
70
68
|
|
69
|
+
has_rdoc:
|