Notes posted by ksylvest
RSS feed
ksylvest -
May 4, 2014
0 thanks
Security
In regards to @aamer’s comment on including the password salt this is a bad idea. `ActiveSupport::MessageVerifier` is NOT encrypted so:
verifier = ActiveSupport::MessageVerifier.new('secret') id = 'id' salt = 'salt' verifier.generate("#{id}-#{salt}") # "BAhJIgxpZC1zYWx0BjoGRVQ=--c880254708d18ce4a686bcd96a25cf0d2117e1e0" Base64.decode64(token.split("--").first) # "...id-salt..."
Note how the salt and id are both exposed! Instead a different token (reset_passowrd_token) should be used.