README.md in rack-session-smart_cookie-0.1.3 vs README.md in rack-session-smart_cookie-0.1.4

- old
+ new

@@ -4,25 +4,25 @@ [![Build Status](https://travis-ci.org/mwpastore/rack-session-smart_cookie.svg?branch=master)](https://travis-ci.org/mwpastore/rack-session-smart_cookie) The version of Rack::Session::Cookie that ships with Rack 2 has the following limitations: -* Insecure SHA1 (HMAC-SHA1) by default +* HMAC-SHA1 by default * Slow and/or bloated JSON, ZipJSON, or Marshal encoding out of the box * JSON encodings do not preserve Symbols * Digest is double-encoded and bloated (hexdigest of a base64) * Base64-encoded strings contain unecessary padding and characters that need to be escaped (e.g. `/` becomes `%2F`), wasting precious cookie bytes -* It has some bugs in the size check that may lead to truncated cookies, token - leakage, and/or cross-site request forgery +* It has some bugs in the size check that may lead to dropped or truncated + cookies, token leakage, and/or cross-site request forgery Of course, none of these are true show-stoppers, and the worst can be worked around by passing e.g. `:hmac` and `:coder` to the initializer. But we are nice people and we deserve nice things. This gem provides a minor derivative of Rack::Session::Cookie with the following improvements: -* Secure SHA2 (HMAC-SHA-256) by default +* HMAC-SHA256 by default * Compact binary serialization format (currently [MessagePack][3] but will likely change to [CBOR][4] in the future) out of the box * Symbols are preserved with the default `:coder` * Digest is single-encoded and compact (base64 of a digest) * Base64-encoded strings are not padded and conform to URL-encoded form data @@ -47,11 +47,11 @@ Base64 plus period (`.`) and asterisk (`*`), so there's no sense in using any stringification scheme other than non-padded, URL-safe Base64! It doesn't need to be configurable. The serializer remains configurable as the `:coder`. The remaining differences are mostly just better defaults: MessagePack and -SHA2. +HMAC-SHA256. ## Installation Add this line to your application's Gemfile: @@ -101,11 +101,11 @@ ZipJSON (Zlib+JSON) results. However, I was able to run the benchmarks locally and add ZipJSON. Although it comes in second-most compact at 289 bytes (cf. protocol buffers and MessagePack at 204 and 373 bytes, respectively), it was 97% slower to encode and 91% slower to decode cf. MessagePack. -I put this mock session payload through the following configurations with SHA2 -and 128 sidbits and here are the results: +I put this mock session payload through the following configurations with +HMAC-SHA256 and 128 sidbits and here are the results: ```ruby { :user_id=>514, :roles=>[:user, :moderator, :mailbox],