aboutsummaryrefslogtreecommitdiffstats
path: root/guides
diff options
context:
space:
mode:
authorRafael Mendonça França <rafaelmfranca@gmail.com>2014-08-16 14:26:28 -0300
committerRafael Mendonça França <rafaelmfranca@gmail.com>2014-08-16 14:26:28 -0300
commitb97204c3439e584419afacaf7b61777a361f5437 (patch)
treed2f015e9462c9378496bbf304a2b2148a0aecdbe /guides
parentcc9d1c52012cd9d7c3f55fd3fe4032080f83b4f2 (diff)
parent5e0f9e40a3523940a23b644e93231385d1760c26 (diff)
downloadrails-b97204c3439e584419afacaf7b61777a361f5437.tar.gz
rails-b97204c3439e584419afacaf7b61777a361f5437.tar.bz2
rails-b97204c3439e584419afacaf7b61777a361f5437.zip
Merge pull request #16523 from tomkadwill/cookie_store_rewording
[ci skip] re-worded section on CookieStore to make it more readable.
Diffstat (limited to 'guides')
-rw-r--r--guides/source/security.md6
1 files changed, 3 insertions, 3 deletions
diff --git a/guides/source/security.md b/guides/source/security.md
index f1db81458c..125dd82666 100644
--- a/guides/source/security.md
+++ b/guides/source/security.md
@@ -118,9 +118,9 @@ It works like this:
* A user receives credits, the amount is stored in a session (which is a bad idea anyway, but we'll do this for demonstration purposes).
* The user buys something.
-* Their new, lower credit will be stored in the session.
-* The dark side of the user forces them to take the cookie from the first step (which they copied) and replace the current cookie in the browser.
-* The user has their credit back.
+* The new adjusted credit value is stored in the session.
+* The user takes the cookie from the first step (which they previously copied) and replaces the current cookie in the browser.
+* The user has their original credit back.
Including a nonce (a random value) in the session solves replay attacks. A nonce is valid only once, and the server has to keep track of all the valid nonces. It gets even more complicated if you have several application servers (mongrels). Storing nonces in a database table would defeat the entire purpose of CookieStore (avoiding accessing the database).