This uses rand() to generate a one-time authentication code. rand() is insecure; you should assume that an attacker can set up conditions where its output is predictable. Use ActiveSupport::SecureRandom instead.
Also, why does this implementation needs its own special cookie? Why not just do the (minimal) housekeeping this requires in the Rails session? Magic cookies are usually a code smell.
[+] [-] tptacek|14 years ago|reply
Also, why does this implementation needs its own special cookie? Why not just do the (minimal) housekeeping this requires in the Rails session? Magic cookies are usually a code smell.
[+] [-] moomerman|14 years ago|reply
This uses another cookie because it is permanent. The standard rails session cookie ends at the end of the session so isn't acceptable here.