Comments on: Remember Me’s with Rails http://wojodesign.com/remember-mes-with-rails/ Web Design and Development Blog Fri, 03 Feb 2012 10:57:00 +0000 hourly 1 http://wordpress.org/?v= By: Anonymous http://wojodesign.com/remember-mes-with-rails/#comment-3930 Anonymous Thu, 25 Aug 2011 09:58:00 +0000 http://www.thewojogroup.com/?p=150#comment-3930 My dear friends, do you want to be more sexy in people's eyes? Just come in, please! We are international trade that specializes in the Karen Millen Dresses. Depending on the high quality and various of design styles, Karen Millen Dress have become the leader in the dress products. According to the different people, Karen Millen dresses are divided into two groups, the kids' and adults' dress. Karen Millen is your best choice! Our products are authentic quality with original box. Discount Karen Millen will cost you less money. So, please don’t hesitate, just contact us for details to get the Cheap Karen Millen Dress! We will be your reliable business partner! Welcome to our website:== http://www.karendresses.com == Thank you! My dear friends, do you want to be more sexy in people’s eyes? Just come in, please!
We are international trade that specializes in the Karen Millen Dresses. Depending on the high quality and various of design styles, Karen Millen Dress have become the leader in the dress products. According to the different people, Karen Millen dresses are divided into two groups, the kids’ and adults’ dress. Karen Millen is your best choice! Our products are authentic quality with original box. Discount Karen Millen will cost you less money. So, please don’t hesitate, just contact us for details to get the Cheap Karen Millen Dress! We will be your reliable business partner!
Welcome to our website:== http://www.karendresses.com == Thank you!

]]> By: Jeff King http://wojodesign.com/remember-mes-with-rails/#comment-17 Jeff King Tue, 02 Mar 2010 08:04:28 +0000 http://www.thewojogroup.com/?p=150#comment-17 Your second code block is full of typos. cookies[:remember_me] is never set. It should be cookies[:remember_me_id] and cookies[:remember_me_code] depending on the context. Regardless, you pointed me in the general direction, and I was able to figure out the rest. Thanks for saving me several more hours of work. Your second code block is full of typos. cookies[:remember_me] is never set. It should be cookies[:remember_me_id] and cookies[:remember_me_code] depending on the context.

Regardless, you pointed me in the general direction, and I was able to figure out the rest. Thanks for saving me several more hours of work.

]]> By: owen http://wojodesign.com/remember-mes-with-rails/#comment-16 owen Tue, 09 Feb 2010 03:31:48 +0000 http://www.thewojogroup.com/?p=150#comment-16 Excellent info, thanks! Excellent info, thanks!

]]> By: Rasmus Bang Grouleff http://wojodesign.com/remember-mes-with-rails/#comment-15 Rasmus Bang Grouleff Sat, 16 Jan 2010 15:34:06 +0000 http://www.thewojogroup.com/?p=150#comment-15 The data for generating the remember_me_code should really be salted with some (random) value that changes on each login (and preferably on each usage of the value in the cookie). Otherwise it'll be much easier to forge the remember_me_code cookie for an attacker. The simplest method would be to add a logged_in_at attribute on the User model that gets updated after authentication and use that to salt the email before passing it to the hash function. The data for generating the remember_me_code should really be salted with some (random) value that changes on each login (and preferably on each usage of the value in the cookie). Otherwise it’ll be much easier to forge the remember_me_code cookie for an attacker.

The simplest method would be to add a logged_in_at attribute on the User model that gets updated after authentication and use that to salt the email before passing it to the hash function.

]]> By: james_earl http://wojodesign.com/remember-mes-with-rails/#comment-14 james_earl Wed, 02 Dec 2009 21:32:07 +0000 http://www.thewojogroup.com/?p=150#comment-14 SHA1 is a hashing algorithm. It's not encryption. You can reverse encryption. You can't reverse a (properly designed) hash. SHA1 is a hashing algorithm.

It’s not encryption. You can reverse encryption. You can’t reverse a (properly designed) hash.

]]> By: Brett Wejrowski http://wojodesign.com/remember-mes-with-rails/#comment-13 Brett Wejrowski Fri, 18 Sep 2009 15:46:58 +0000 http://www.thewojogroup.com/?p=150#comment-13 @xpmatteo, the idea was that by taking a random excerpt of the hash, it would be impossible to figure out. This is mostly because the attacker wouldn’t know what I used to create this hash. – However, I have become more prone to using a more complicated input to the hash since I published this, using multiple user fields along with a secret string to improve security. – Thanks for the feedback! @xpmatteo, the idea was that by taking a random excerpt of the hash, it would be impossible to figure out. This is mostly because the attacker wouldn’t know what I used to create this hash.

However, I have become more prone to using a more complicated input to the hash since I published this, using multiple user fields along with a secret string to improve security.

Thanks for the feedback!

]]> By: xpmatteo http://wojodesign.com/remember-mes-with-rails/#comment-12 xpmatteo Fri, 18 Sep 2009 15:29:15 +0000 http://www.thewojogroup.com/?p=150#comment-12 Hi Brett, I'm not convinced that your implementation is secure enough. If I know the user id and the email of another user, I can forge cookies to let me in. To make that more secure, I would add a secret string to the input of the SHA1 hashing function. Hi Brett,

I’m not convinced that your implementation is secure enough. If I know the user id and the email of another user, I can forge cookies to let me in. To make that more secure, I would add a secret string to the input of the SHA1 hashing function.

]]> By: Balachandran http://wojodesign.com/remember-mes-with-rails/#comment-11 Balachandran Mon, 30 Mar 2009 05:57:20 +0000 http://www.thewojogroup.com/?p=150#comment-11 Dear, I am trying to implement this remember me code. In this you are checking the conditions called cookies[:remember_me]. May i know from where you are getting the code cookies[:remember_me].In the cookies we are not storing cookies[:remember_me] but when are checking in the before filter we are using this,so pls let me know reg this issues. # if ( cookies[:remember_me] and cookies[:remember_me] and User.find( cookies[:remember_me]) and Digest::SHA1.hexdigest( User.find( cookies[:remember_me] ).email )[4,18] == cookies[:remember_me_code] ) Dear,
I am trying to implement this remember me code. In this you are checking the conditions called cookies[:remember_me]. May i know from where you are getting the code cookies[:remember_me].In the cookies we are not storing cookies[:remember_me] but when are checking in the before filter we are using this,so pls let me know reg this issues.

# if ( cookies[:remember_me] and cookies[:remember_me] and User.find( cookies[:remember_me]) and Digest::SHA1.hexdigest( User.find( cookies[:remember_me] ).email )[4,18] == cookies[:remember_me_code] )

]]> By: Andreas http://wojodesign.com/remember-mes-with-rails/#comment-10 Andreas Thu, 06 Nov 2008 11:49:12 +0000 http://www.thewojogroup.com/?p=150#comment-10 Nice how-to! One thing though: Could it be that "cookies.delete :backbone_id" needs to be "cookies.delete :remember_me_id" instead? Nice how-to! One thing though: Could it be that “cookies.delete :backbone_id” needs to be “cookies.delete :remember_me_id” instead?

]]> By: Brett http://wojodesign.com/remember-mes-with-rails/#comment-9 Brett Mon, 29 Sep 2008 22:24:11 +0000 http://www.thewojogroup.com/?p=150#comment-9 Not a bad idea. However, it would depend on what user data you store in your session variables. As long as each site has similar user info in their database, or you are using the same database for all the sites, that would work fine (i.e. using email in the session would be easier than using user id if you used a different dB to store user data). For this site, what I meant for multiple logins is that I have a user system for admins (i.e. viewing stats and creating posts) and a completely different, temporary system for beta users (for the beta launch, visitors must create a username to view the site, in order to limit traffic). So I have two different types of logins and user models, hence, two separate custom authentication systems, which is why I chose not to use a plugin. But you have a good idea for using one session for multiple sites under one domain, as far as I know it should work. Not a bad idea. However, it would depend on what user data you store in your session variables. As long as each site has similar user info in their database, or you are using the same database for all the sites, that would work fine (i.e. using email in the session would be easier than using user id if you used a different dB to store user data).

For this site, what I meant for multiple logins is that I have a user system for admins (i.e. viewing stats and creating posts) and a completely different, temporary system for beta users (for the beta launch, visitors must create a username to view the site, in order to limit traffic). So I have two different types of logins and user models, hence, two separate custom authentication systems, which is why I chose not to use a plugin.

But you have a good idea for using one session for multiple sites under one domain, as far as I know it should work.

]]>