diff options
author | Aaron Patterson <aaron.patterson@gmail.com> | 2011-03-29 17:38:43 -0700 |
---|---|---|
committer | Aaron Patterson <aaron.patterson@gmail.com> | 2011-03-29 17:38:43 -0700 |
commit | 0471fc9f1cf95865a9810b46f1227783fee40ab5 (patch) | |
tree | 50c6a1990e7b97b7960a692c9441e686cbcb4902 /railties/guides/source/security.textile | |
parent | 28c73f012328c8386acfc608f0dfb1a459dbf170 (diff) | |
parent | 58becf116580c37c63b89f4a660ebe293f6e7c4e (diff) | |
download | rails-0471fc9f1cf95865a9810b46f1227783fee40ab5.tar.gz rails-0471fc9f1cf95865a9810b46f1227783fee40ab5.tar.bz2 rails-0471fc9f1cf95865a9810b46f1227783fee40ab5.zip |
Merge branch 'master' into zomg
* master: (51 commits)
order is not guaranteed by this select, so add an order and call first!
oracle stores this with microseconds, so convert to seconds before comparing
make sure that active connections are not cleared during test when an exception happens
clearing active connections in the ConnectionManagement middleware if an exception happens
proxy body responses so we close database connections after body is flushed
Pass the proper method_name instead of hardcoding to action_name.
Quote find_in_batches ORDER BY clause [#6620 state:resolved]
Delegate first!, last!, any? and many? to scoped
Dont call authenticate_or_request_with_http_basic twice
Remove 'warning: ambiguous first argument' when running ActionPack tests
Change exists? so that it doesn't instantiate records [#6127 state:resolved]
Move mapper_test to the appropriate location
Update the wildcard route to be non-greedy by default, therefore be able to match the (.:format) segment [#6605 state:resolved]
Fix examples
Added Base.http_basic_authenticate_with to do simple http basic authentication with a single class method call [DHH]
make sure we have an active database connection before running each connection management test
adding active_connections? to the connection pool for finding open connections
adding active_connection? to the connection pool
testing app delegation from the ConnectionManagement middleware
namespacing connection management tests. :heart:
...
Diffstat (limited to 'railties/guides/source/security.textile')
-rw-r--r-- | railties/guides/source/security.textile | 6 |
1 files changed, 5 insertions, 1 deletions
diff --git a/railties/guides/source/security.textile b/railties/guides/source/security.textile index 182f3631ef..893f65856c 100644 --- a/railties/guides/source/security.textile +++ b/railties/guides/source/security.textile @@ -57,7 +57,11 @@ Many web applications have an authentication system: a user provides a user name Hence, the cookie serves as temporary authentication for the web application. Everyone who seizes a cookie from someone else, may use the web application as this user – with possibly severe consequences. Here are some ways to hijack a session, and their countermeasures: -* Sniff the cookie in an insecure network. A wireless LAN can be an example of such a network. In an unencrypted wireless LAN it is especially easy to listen to the traffic of all connected clients. This is one more reason not to work from a coffee shop. For the web application builder this means to _(highlight)provide a secure connection over SSL_. +* Sniff the cookie in an insecure network. A wireless LAN can be an example of such a network. In an unencrypted wireless LAN it is especially easy to listen to the traffic of all connected clients. This is one more reason not to work from a coffee shop. For the web application builder this means to _(highlight)provide a secure connection over SSL_. In Rails 3.1 and later, this could be accomplished by always forcing SSL connection in your application config file: + +<ruby> +config.force_ssl = true +</ruby> * Most people don't clear out the cookies after working at a public terminal. So if the last user didn't log out of a web application, you would be able to use it as this user. Provide the user with a _(highlight)log-out button_ in the web application, and _(highlight)make it prominent_. |