cookiestore

For Rails apps, keeping your environment.rb file in your repository seems unsecure...

Many Rails apps use the CookieStore method of storing sessions. The security of this method depends mainly on the security of the session secret key which is defined by default in config/environment.rb: config.action_controller.session = { :session_key => '_some_name_session', :secret => 'long secret key' } Most people i...

How easy is it to crack a cookie created by CookieStore from a Rails app?

I have read a bunch of stuff saying that one con of using the cookie store in a Rails app is that the client can see the cookie data. However, I looked at the cookie data and it is encrypted. Is it relatively easy to decrypt the cookie data? ...

Rails CookieStore::CookieOverflow, not for all users, only in production

I have a couple users that are getting this CookieStore::CookieOverflow error. I'm suspicious of nginx/passenger because I just switched to that last week (from nginx/thin) and now these are happening. It's always a particular action, but it doesn't happen for all users. I checked to see what I'm storing in the session and I'm not sav...

http cookies and embedded images

I'm setting a cookie during http GET request of the .html pages with embedded images. I'm expecting the browser to return the cookies when getting all the embedded images, but apparently it does not happen for the first embedded image. Is this how it's supposed to work or am I missing something ? ...

Rails, CookieStore vs ActiveRecordStore

Hello, I am currently experiencing a strange issue with our users being logged out. I haven't been able to reproduce it explicitly. The Rails application is using the default CookieStore. My initial hypothesis is that somehow the session data within the cookie, or even the cookie itself is being destroyed. This may be either from a use...

session cookies work on emulator, but not real device

I'm developing an app using android 2.1. I have a problem with using session cookies to login to a RESTful web service. The code works fine on the emulator, but when I run it on my HTC Magic, the cookie logic doesn't work. I've confirmed that the magic is receiving cookies in the headers by listing them (see attached). Can anyone say wh...