[Rails] 'remember me' using cookies
Isak Hansen
isak.hansen at gmail.com
Fri Jul 28 12:24:33 GMT 2006
On 7/27/06, Alan Bullock <liststuff at gmail.com> wrote:
> I'm about to implement this, and I'm thinking of storing the user's id and
> their hashed password in the cookie after a successful authentication.
>
> can any see an obvious security issue with this? I know the method is
> vulnerable to cookie theft but am i missing anything?
Don't include the password in any form, just as a precaution.
And add a timestamp, you really don't want such a cookie to be valid forever.
Isak
More information about the Rails
mailing list