Security Concerns

[seanhandley]

1. Vulnerable to script/html injections
2. Vulnerable to session replay i.e. if I record a post request to add a fic, then log out and clear my cookies, I can still add a fic as an authenticated user by replaying the captured request. Clearly, this bad!

[frosty]

Any ideas how we fix the latter? Presumably the former is solved by doing some proper escaping when we save / display content.

[MGwynne]

Hello :)

Don't you guys have some form of session id stored on the server (I'm guessing Ruby has something like this?) so that when a user logs out the id is disassociated with that user and then if they replay the same request, it won't work if they've logged out as, as far as the app is concerned, the user isn't logged in.