Rails best session storage for security? -

-

I'm trying to set up my session to run on the server, but not about knowing about it I've searched the address for a while and I'm not getting a resource that helps me set up non-cookie based sessions. I have seen somewhere that the session story stores it on the server instead of the client, but I can not find anything about it. (How does this work or how it is set) Can someone help clarify things for me?

I know of three ways to keep a user's attitude when using your site: cookies and Using HTTPS conclusions digital certificates and cookless sessions.

Kukelis

Cookies are smells like being unsafe even under HTTPS connections because you have to pass an identifier (which is a cookie in the "regular" session The server, usually in your address call, will:

You should probably check, and its security implications.

Also explain about how it can be achieved through javascript.

HTTPS and certificate

In an HTTPS connection approach, the user is required to present his / her certificate on every request to the server. Considering that the user will present the certificate on every request to the server, the session can be completely avoided, because you will transparently authenticate every request.

I do not think it is possible to implement this approach without providing the user and certificate without providing the certificate. This is not the usual "Server Only Certificate" HTTPS approach.

Cookies

Considering that you can not be ready to go to the HTTPS route, the only way to recognize it is to have a similar browser Calling it, you have to return the cookie to tie it for a session. There is probably no way that you can keep any cookie without any session and still you have saved it from fraud.

Bottom line: The browser must send you a way to tie the browser request session, so you can be sure (assuming you are encrypting your connection) that this is the same Which it says.

Sessions are controlled by the server, and each cookie issued is entered in the session-table when the browser that calls the cookie again, then it should be inquired from the server and identified. May be.

I have linked one of the answers, in which a method has been described to keep all the user information. There is no need to query the session database on the server to identify cookies, and therefore the request browser.

Ruby on Rail

The railway approach is described for the sessions.

The list of rail API AP provides storage system information storage system.

ActionDispatch :: Session :: Cookie Store is a "server-less" session storage, so you must have all the information server in the cookie, identify the session sent by the browser . Most likely what you want in your question.

But it is not more or less secure from storing session information in server-side, such as ActionDispatch :: session :: CacheStore or some other information about session The way but it is very fast.

Bottom line: When using cookie-based sessions, there are differences in storage methods, entry and response time, security is not there.

If you want to go with safety, I recommend that CSTL should go with HTTPS certification, but it is incompatible with general public web applications.


Comments

Post a Comment

Popular posts from this blog

import - Python ImportError: No module named wmi -

-
I followed the instructions for downloading WMI for Python When I try to run the code for C.Win32_Service (StartMode = "Auto", state = "Stopped") import wmi c = wmi.WMI (): if Raw_input ("restart% s?"% S.Caption) .upper () == "Y": s.StartService () I got the error < Code> traceback (most recent call end): file ". \", Line 1, edit: I am using Python 2.7.6 EDIT2: I am running 64-bit Windows 2008 R2, and I've downloaded WMI-1.4.9.zip (md5). I removed the content and put it in D: Python \ Tools \ Scripts I executed dragon setup.py.install I said D : \ Python \ tools \ scripts to% PATH% and when I execute the code for C.Win32_Service (StartMode = "Auto", state = "Stopped") import wmi c = Wmi.WMI (): If raw_input ("Restart% s?"% S. Caption). () == "Y": s.StartService () error me Gets traceback (most recent call final): File ". See \", line 1, &
Read more

Editing Python Class in Shell and SQLAlchemy -

-
I am working on the terminal on a shell script after this tutorial SQLAlchemy tutorial. I need to type gt; & Gt; & Gt; Sqlalchemy import column, integer, string & gt; & Gt; & Gt; Class user (base): __tablename__ = 'users' id = column (integer, primary_key = true) name = column (string) absolute name = column (string) password = column (string) def __repr __ (self): return "& lt ; User (name = '% s', absolute name = '% s', password = '% s') & gt; "% (Self.name, self.fullname, self.password) After the problem I have typed the password = column (string) I hit twice and changed .... >> I then took everything back but then an error was thrown because the class already exists ... I am not completely sure how to fix it. How do I open that slip in the shell script and edit it (Add DF to DRR) The error thrown below: / user / giripeters / TFSQLLX / Lib / python2.7 / site-packages / sqlalchemy / ext / decla
Read more

c# - MySQL Parameterized Select Query joining tables issue -

-
I am using parameterized select questions in conjunction with my program and it works entirely, When I try to join the table Everything I have done is a small fraction: using (MySqlCommand cmd = new MySqlCommand (paramQuery) ToSql (), Connection)) /etc/ paramQuery.ToSql () Equal: "Select TableOne ID, Tableon, Department, Tablet. One by name table, Table 2 h Yes TableOnEID = @Pharmak "* / for (Int Index = 0; Index and Lt; ParamariX Parameter (.c calculation; Index ++) Cmd.Parameters.AddWithValue (paramQuery.Parameters (). ElementAt (index). , ParamQuery.Parameters (). ElementAt (index) .Value); / * ParamQuery.Parameters (). ElementAt (index) .k = "@most 0" paramQuery.Parameters (). ElementAt (index) .Value = "tableTwo.ID" * / MySqlDataReader Reader = cmd.ExecuteReader (); While (reader.Read ()) {// do stuff} } One of the tables I attempt to join is For the table, two with the same id for all. Is there something that I'm doing wrong?
Read more