encrypted_cookie_store-instructure 1.0.0 → 1.0.1
Sign up to get free protection for your applications and to get access to all the features.
- data/README.markdown +15 -3
- data/encrypted_cookie_store-instructure.gemspec +1 -1
- data/lib/encrypted_cookie_store.rb +7 -7
- metadata +6 -7
data/README.markdown
CHANGED
|
@@ -66,7 +66,8 @@ EncryptedCookieStore vs other session stores
|
|
|
66
66
|
EncryptedCookieStore inherits all the benefits of CookieStore:
|
|
67
67
|
|
|
68
68
|
* It works out of the box without the need to setup a seperate data store (e.g. database table, daemon, etc).
|
|
69
|
-
* It does not require any maintenance. Old, stale sessions do not need to be manually cleaned up, as is the
|
|
69
|
+
* It does not require any maintenance. Old, stale sessions do not need to be manually cleaned up, as is the
|
|
70
|
+
case with PStore and ActiveRecordStore.
|
|
70
71
|
* Compared to MemCacheStore, EncryptedCookieStore can "hold" an infinite number of sessions at any time.
|
|
71
72
|
* It can be scaled across multiple servers without any additional setup.
|
|
72
73
|
* It is fast.
|
|
@@ -74,5 +75,16 @@ EncryptedCookieStore inherits all the benefits of CookieStore:
|
|
|
74
75
|
|
|
75
76
|
There are of course drawbacks as well:
|
|
76
77
|
|
|
77
|
-
*
|
|
78
|
-
|
|
78
|
+
* It is prone to session replay attacks. These kind of attacks are explained in the
|
|
79
|
+
[Ruby on Rails Security Guide](http://guides.rubyonrails.org/security.html#session-storage). Therefore you
|
|
80
|
+
should never store anything along the lines of `is_admin` in the session. EncryptedCookieStore does
|
|
81
|
+
improve on CookieStore in reducing the amount of time allowed for a replay attack to the :expire_after value,
|
|
82
|
+
instead of forever, but is still weaker than a server side session with an accompanying cookie that allows
|
|
83
|
+
re-establishment of a session, but not replay of the session contents.
|
|
84
|
+
* You can store at most a little less than 4 KB of data in the session because that's the size limit of a
|
|
85
|
+
cookie. "A little less" because EncryptedCookieStore also stores a small amount of bookkeeping data in the cookie.
|
|
86
|
+
* Although encryption makes it more secure than CookieStore, there's still a chance that a bug in
|
|
87
|
+
EncryptedCookieStore renders it insecure. We welcome everyone to audit this code. There's also a chance that
|
|
88
|
+
weaknesses in AES are found in the near future which render it insecure. If you are storing *really* sensitive
|
|
89
|
+
information in the session, e.g. social security numbers, or plans for world domination, then you should
|
|
90
|
+
consider using ActiveRecordStore or some other server-side store.
|
|
@@ -99,22 +99,22 @@ private
|
|
|
99
99
|
@data_cipher.iv = iv
|
|
100
100
|
session_data = @data_cipher.update(encrypted_session_data) << @data_cipher.final
|
|
101
101
|
session_data = inflate(session_data) if compressed
|
|
102
|
-
return [nil, nil] unless digest == OpenSSL::HMAC.digest(OpenSSL::Digest::Digest.new(@digest), secret, session_data + timestamp.to_s)
|
|
102
|
+
return [nil, nil, nil] unless digest == OpenSSL::HMAC.digest(OpenSSL::Digest::Digest.new(@digest), secret, session_data + timestamp.to_s)
|
|
103
103
|
if @expire_after
|
|
104
|
-
return [nil, nil] unless timestamp
|
|
105
|
-
return [nil, timestamp] unless Time.now.utc.to_i - timestamp < @expire_after
|
|
104
|
+
return [nil, nil, nil] unless timestamp
|
|
105
|
+
return [nil, nil, timestamp] unless Time.now.utc.to_i - timestamp < @expire_after
|
|
106
106
|
end
|
|
107
107
|
[Marshal.load(session_data), session_data, timestamp]
|
|
108
108
|
else
|
|
109
|
-
[nil, nil]
|
|
109
|
+
[nil, nil, nil]
|
|
110
110
|
end
|
|
111
111
|
else
|
|
112
|
-
[nil, nil]
|
|
112
|
+
[nil, nil, nil]
|
|
113
113
|
end
|
|
114
114
|
rescue Zlib::DataError
|
|
115
|
-
[nil, nil]
|
|
115
|
+
[nil, nil, nil]
|
|
116
116
|
rescue OpenSSLCipherError
|
|
117
|
-
[nil, nil]
|
|
117
|
+
[nil, nil, nil]
|
|
118
118
|
end
|
|
119
119
|
|
|
120
120
|
def all_unpacked_cookie_data(env)
|
metadata
CHANGED
|
@@ -1,13 +1,13 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: encrypted_cookie_store-instructure
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
hash:
|
|
4
|
+
hash: 21
|
|
5
5
|
prerelease:
|
|
6
6
|
segments:
|
|
7
7
|
- 1
|
|
8
8
|
- 0
|
|
9
|
-
-
|
|
10
|
-
version: 1.0.
|
|
9
|
+
- 1
|
|
10
|
+
version: 1.0.1
|
|
11
11
|
platform: ruby
|
|
12
12
|
authors:
|
|
13
13
|
- Cody
|
|
@@ -15,8 +15,7 @@ autorequire:
|
|
|
15
15
|
bindir: bin
|
|
16
16
|
cert_chain: []
|
|
17
17
|
|
|
18
|
-
date: 2012-05-11 00:00:00
|
|
19
|
-
default_executable:
|
|
18
|
+
date: 2012-05-11 00:00:00 Z
|
|
20
19
|
dependencies: []
|
|
21
20
|
|
|
22
21
|
description: A secure version of Rails' built in CookieStore
|
|
@@ -32,7 +31,6 @@ files:
|
|
|
32
31
|
- README.markdown
|
|
33
32
|
- lib/encrypted_cookie_store.rb
|
|
34
33
|
- encrypted_cookie_store-instructure.gemspec
|
|
35
|
-
has_rdoc: true
|
|
36
34
|
homepage: http://github.com/ccutrer/encrypted_cookie_store
|
|
37
35
|
licenses: []
|
|
38
36
|
|
|
@@ -62,9 +60,10 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
|
62
60
|
requirements: []
|
|
63
61
|
|
|
64
62
|
rubyforge_project:
|
|
65
|
-
rubygems_version: 1.
|
|
63
|
+
rubygems_version: 1.8.24
|
|
66
64
|
signing_key:
|
|
67
65
|
specification_version: 3
|
|
68
66
|
summary: EncryptedCookieStore for Ruby on Rails 2.3
|
|
69
67
|
test_files: []
|
|
70
68
|
|
|
69
|
+
has_rdoc:
|