Replay attacks with cookie session : Rails 2.0

views:

343

answers:

Replay attacks with cookie session : Rails 2.0

I'm using rails 2.0.5 with cookie session.

but cookie session has serious problem wis the possibility of replay attacks. How do I prevent replay attacs with cookie store?

I hope a plug in of Rails 2.0 use or concrete source example codes.

Could you help me?

more information more information

+2 A:

I think that the only way to prevent them is to use a SSL connection.

But I think you'll be safe even without one, as long as you don't store sensitive data (like passwords) in the session and make sure that you set a reasonable expiry time for them.

andi 2009-05-22 11:33:47

Thank you! but Can I prevent it?

ffffff 2009-05-22 11:38:22

I kind of missed the question the first time around.. sorry for that.. :)

andi 2009-05-22 12:01:38

+1 A:

The cookie session store is no more susceptible to replay attacks than other rails session stores. While the cookie store holds encrypted session data in the cookie, other stores hold the session id - equally valuable to an attacker. This is also true in most web frameworks. Other than using SSL, I don't believe there is any way to prevent these attacks.

tomafro 2009-05-22 15:44:43

ansaurus

tags:

views:

answers:

Replay attacks with cookie session : Rails 2.0

related questions