Now would probably be a good time to start storing your Rails sessions in memcached instead of cookies
@nirvdrum if you just use HMAC, the attacker controls the session data. With Memcached, you control the session data, and there's no crypto
-
-
@bascule Right. IIRC,@igrigorik lost an argument to actually encrypt the session cookie because the overhead of encrypting 4K was too high. -
@nirvdrum@igrigorik they did eventually add a store that encrypts the session cookie but didn't MAC it, thus losing all confidentiality
End of conversation
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.