Permalink
Browse files

Merge pull request #16523 from tomkadwill/cookie_store_rewording

[ci skip] re-worded section on CookieStore to make it more readable.
  • Loading branch information...
2 parents cc9d1c5 + 5e0f9e4 commit b97204c3439e584419afacaf7b61777a361f5437 @rafaelfranca rafaelfranca committed Aug 16, 2014
Showing with 3 additions and 3 deletions.
  1. +3 −3 guides/source/security.md
@@ -118,9 +118,9 @@ It works like this:
* A user receives credits, the amount is stored in a session (which is a bad idea anyway, but we'll do this for demonstration purposes).
* The user buys something.
-* Their new, lower credit will be stored in the session.
-* The dark side of the user forces them to take the cookie from the first step (which they copied) and replace the current cookie in the browser.
-* The user has their credit back.
+* The new adjusted credit value is stored in the session.
+* The user takes the cookie from the first step (which they previously copied) and replaces the current cookie in the browser.
+* The user has their original credit back.
Including a nonce (a random value) in the session solves replay attacks. A nonce is valid only once, and the server has to keep track of all the valid nonces. It gets even more complicated if you have several application servers (mongrels). Storing nonces in a database table would defeat the entire purpose of CookieStore (avoiding accessing the database).

0 comments on commit b97204c

Please sign in to comment.