I have read a number of different tutorials that talk about adding a login page to an application that all contain very similar wording: "Of course, you would log in over an SSL connection". And I understand the theory of HTTP and the theory of packet sniffing well enough to know that, if I type in a password on a form, and that form gets sent unencryptedly to a server, then anybody with a packet sniffer could peek at that form as it goes whizzing by and look at the password. And I understand human nature enough to know that if something like that _could_ be done, then there are people out there who delight in doing things like that.
OK, enough long winded babbling introduction. The tutorials I've read about logging into an application all store the user ID in the session. I presume that the "session" is a conceptual framework wrapped around a cookie. Here is where my knowledge of the theory of HTTP runs out. So I start to assume things. One thing that I assume is that, when a server places a cookie in a client's browser, there must be something inherent in the protocol that would allow the server to retrieve that cookie. Now I start to wonder how secure sessions are? If only the login page is encrypted, what is to prevent somebody from sniffing the unencrypted cookie request and response as they go whizzing by to fetch later pages? Is there a provision for encrypted cookies? Do the client and the server share a secret when the cookie is first placed on the client (via the encrypted link) that is used to prevent the cookie from being used by a malicious party? I'm just curious about this, and, because I'm curious, and because I am really supposed to be writing an annual report, I thought this would be a good time to ask the experts about this burning issue. :-) --wpd --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk@googlegroups.com To unsubscribe from this group, send email to rubyonrails-talk+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---
