Comments for judofyr's camping  

Well, the Rack spec says that the environment always will be a true intance of Hash (no subclassing allowed) so it’s really not our problem…

The .to_hash method is actually needed if the object is ENV, when responding to a CGI request.

Meh, I was just tossing ideas around. I had it on a branch, but I think I removed it a while ago. H does a good job already, and there’s no point of adding a new dependency :-)

I thought we’d decided using Mash would be funky? But your gems don’t seem to include it. Whats the dealio? Are we now anti-mash?

Hmm… Fair enough! ^_

Doesn’t that algorithm require two different secret keys though? Do we know that the implementation in OpenSSL is strong? I would have thought everything in SSL would be incredibly outdated and ancient.

Thank you thank you thank you! :D

Cryptology is pretty hard, and doing hash(key + data) has proved to be insecure: http://en.wikipedia.org/wiki/HMAC#Design_Principles

We’re not aiming for prefect security, but when can get a better solution for free I’m not complaining :-)

USER_AGENT is probably a good idea to remove, though!

I’m confused as to why this change is good. What is different about the hmac implementation in OpenSSL that makes it better?

Also please can we ditch @env.HTTP_USER_AGENT? It stops flash applets from being able to communicate with camping apps by killing their session, and presumably does the same to java. I’ve had to make my own http_user_agentless secure_blob_hasher to get flash to work with my camping webapp, where I use a flash applet to upload pictures, which was annoying and confusing. :/

Yay! ^_

The commit has since been removed.