From f254831e8309ce6ec74cc30a46a68bb5c2ffb6df Mon Sep 17 00:00:00 2001 From: Jeremy Kemper Date: Sat, 3 Mar 2007 13:54:54 +0000 Subject: Cookie store: use OpenSSL::HMAC instead of basic hash. Introduce :secret block and :digest option. git-svn-id: http://svn-commit.rubyonrails.org/rails/trunk@6296 5ecf4fe2-1ee6-0310-87b1-e25e094e27de --- actionpack/CHANGELOG | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) (limited to 'actionpack/CHANGELOG') diff --git a/actionpack/CHANGELOG b/actionpack/CHANGELOG index e3632d4c86..b01eec5bab 100644 --- a/actionpack/CHANGELOG +++ b/actionpack/CHANGELOG @@ -21,7 +21,17 @@ * Routing: better support for escaped values in route segments. #7544 [Chris Roos] -* Introduce a cookie-based session store as the Rails default. Sessions typically contain at most a user_id and flash message; both fit within the 4K cookie size limit. A secure hash is included with the cookie to ensure data integrity (a user cannot alter his user_id without knowing the secret key included in the hash). If you have more than 4K of session data or don't want your data to be visible to the user, pick another session store. Cookie-based sessions are dramatically faster than the alternatives. [Jeremy Kemper] +* Introduce a cookie-based session store as the Rails default. Sessions typically contain at most a user_id and flash message; both fit within the 4K cookie size limit. A secure message digest is included with the cookie to ensure data integrity (a user cannot alter his user_id without knowing the secret key included in the digest). If you have more than 4K of session data or don't want your data to be visible to the user, pick another session store. Cookie-based sessions are dramatically faster than the alternatives. [Jeremy Kemper] + + Example config/environment.rb: + # Use an application-wide secret key and the default SHA1 message digest. + config.action_controller.session = { :secret => "can't touch this" } + + # Store a secret key per user and employ a stronger message digest. + config.action_controller.session = { + :digest => 'SHA512', + :secret => Proc.new { User.current.secret_key } + } * Added .erb and .builder as preferred aliases to the now deprecated .rhtml and .rxml extensions [Chad Fowler]. This is done to separate the renderer from the mime type. .erb templates are often used to render emails, atom, csv, whatever. So labeling them .rhtml doesn't make too much sense. The same goes for .rxml, which can be used to build everything from HTML to Atom to whatever. .rhtml and .rxml will continue to work until Rails 3.0, though. So this is a slow phasing out. All generators and examples will start using the new aliases, though. -- cgit v1.2.3