Retry attacks with cookie session: Rails 2.0

Question

Retry attacks with cookie session: Rails 2.0

I am using rails 2.0.5 with session cookie.

but the cookie session has a serious problem with the possibility of replay attacks. How do I prevent reuse of attacs with cookie storage?

I hope that the Rails 2.0 plug-in or specific example code examples.

could you help me?

additional information additional information

0

security ruby-on-rails cookies

freddiefujiwara May 22 '09 at 11:24

a source to share

2 answers

andi · Answer 1 · 2009-05-22T11:33:47+0000

I think the only way to prevent them is by using an SSL connection.

But I think you'll be safe even without it, as long as you don't store sensitive data (like passwords) in the session and set a reasonable expiration time for it.

tomafro · Answer 2 · 2009-05-22T15:44:43+0000

The cookie session store is no longer susceptible to replay attacks than other rails session stores. While the cookie store stores encrypted session data in a cookie, other stores store the session ID - equally valuable to an attacker. This is true for most web frameworks as well. Aside from using SSL, I don't believe there is any way to prevent these attacks.

Retry attacks with cookie session: Rails 2.0

More articles: