[Rails] 'remember me' using cookies
Andrew Stone
stonelists at gmail.com
Thu Jul 27 13:00:50 GMT 2006
On 7/27/06, Alan Bullock <liststuff at gmail.com> wrote:
>
> I'm about to implement this, and I'm thinking of storing the user's id and
> their hashed password in the cookie after a successful authentication.
>
> can any see an obvious security issue with this? I know the method is
> vulnerable to cookie theft but am i missing anything?
>
> thanks
> alan
>
>
The only reason I could see for storing this information is to automatically
log in the user based on the cookie credentials. IMHO, this is a definite
security issue and I wouldn't go with this approach and therefore wouldn't
expose this information.
Just my 2 cents.
--
Andrew Stone
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://wrath.rubyonrails.org/pipermail/rails/attachments/20060727/8b61cb19/attachment.html
More information about the Rails
mailing list