flips: well, first of all "secure enough" always depends on the purpose :) The bcrypt stuff looks fine to me. The session stuff is missing an explicit session secret, but even with that i'm not really happy about storing the sessions contents in a cookie. Then the ability to forge the contents would require either guessing the session secret, or defeating the signing algorithm
flips: and, hopefully you'd be storing the users in a database instead of an in-memory ruby Hash.'
flips: anyway, the default session middleware (with a good long secret) is probably fine in practise. i just dislike the fact that the session contents are readable by the user, and that if there's a lot of it, it's transferred on every request. However, i don't know of a better one that's out there. I wrote my own that stores the session in a DB using Sequel, but i haven't fully completed and released
Not planning on storing users in an in-memory Ruby hash, no ... ;) So explicitly/manually setting the session secret is smart? I thought it was automatically created upon launch, but I guess setting it manually is good for multi-threading, especially if I host it on jruby/a jvm setup or something ... :)
hi all. how can I route erb to a file in a folder? erb :index -> erb /folder/:index