mirror of
https://github.com/rails/rails.git
synced 2022-11-09 12:12:34 -05:00
Remove statement assuming coffee shop/public space wifi is inherently insecure
This commit is contained in:
Nick Quaranto
parent
6642407c16
commit
66e5844b9a
1 changed files with 1 additions and 1 deletions
|
|
@ -60,7 +60,7 @@ Many web applications have an authentication system: a user provides a user name
|
||||||
|
|
||||||
Hence, the cookie serves as temporary authentication for the web application. Anyone who seizes a cookie from someone else, may use the web application as this user - with possibly severe consequences. Here are some ways to hijack a session, and their countermeasures:
|
Hence, the cookie serves as temporary authentication for the web application. Anyone who seizes a cookie from someone else, may use the web application as this user - with possibly severe consequences. Here are some ways to hijack a session, and their countermeasures:
|
||||||
|
|
||||||
* Sniff the cookie in an insecure network. A wireless LAN can be an example of such a network. In an unencrypted wireless LAN it is especially easy to listen to the traffic of all connected clients. This is one more reason not to work from a coffee shop. For the web application builder this means to _provide a secure connection over SSL_. In Rails 3.1 and later, this could be accomplished by always forcing SSL connection in your application config file:
|
* Sniff the cookie in an insecure network. A wireless LAN can be an example of such a network. In an unencrypted wireless LAN it is especially easy to listen to the traffic of all connected clients. For the web application builder this means to _provide a secure connection over SSL_. In Rails 3.1 and later, this could be accomplished by always forcing SSL connection in your application config file:
|
||||||
|
|
||||||
```ruby
|
```ruby
|
||||||
config.force_ssl = true
|
config.force_ssl = true
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue