from Hacker News

Play Framework Security Advisory

by mnml_ on 8/6/13, 1:33 PM with 39 comments

  • by lifeisstillgood on 8/6/13, 2:48 PM

    I just do not understand why we keep persisting in putting session data into cookies.

    Its between hard and impossible to build to systems perfectly that do this, whereas a server based lookup has a limited number of attacks that do not involve owning my boxes.

    I have even written my own session handling wsgi middleware just because I don't understand encryption and cannot find a framework that doesn't try that.

  • by dabeeeenster on 8/6/13, 4:02 PM

    Just patched some apps, and there have been other changes from 1.2.5 to 1.2.6 - not cool! In page templates,

    .formatCurrency('GBP')

    no longer works

  • by D9u on 8/6/13, 2:52 PM

    For some reason I thought that this was about Google Play and Android devices...

    (crawling back under my rock now...)

  • by noelwelsh on 8/6/13, 2:27 PM

    Note that a fix is available -- patched versions of Play are available all major releases. So it might mean a redeploy of code but it's not a big deal.

  • by hahame on 8/6/13, 2:30 PM

    How is data injection possible if the session is signed?