Noam Ben Ari
Noam Ben Ari
Hi, At the time I watched tenderlove's Railsconf video saying the reason Rails was slow was too much layers of middleware. I then saw Omnioauth's architecture was one that used...
It's definitely a good route to go - integrating Sorcery with Omniauth.
I think that's because sorcery saves a new remember_me_token to the DB on every "remember me" request, regardless on browser. This makes the remember_me_token in other browser cookies revoked. The...
If you don't also keep expiration info on each browser, than the expiration will take effect from the time of the first browser, even if the last browser asked for...
Ok, so we have httpOnly turned ON (prevents javascript from reading it), the cookie is signed (prevents cookie tampering), and let's say we don't use SSL. So an attacker can...
No no, what I meant was, the token the attacker is sniffing right now, is already obsolete, because when the user sends me his token, I give him a new...
On second thought, if I needed secure login I would just use SSL... :-)
Yes, your algo description is correct, and I've (finally) reached the conclusion that SSL is the answer... Alright, it will be fixed when I get around to it. Pull requests...
Hi, Please take a look at #31 and maybe #250 is related too. I don't remember the details for CSRF but both deleting the session and the CSRF tokens are...
Regarding 1 I suppose this is part of the fix for #31. Regarding 2, I understand the use case and it is a valid one. I agree that the login...