Rails 4: Session Expiry?
Kyle Fazzari
I've been Googling this question for the past few hours, and I think it's time I simply ask this question myself.
I just made the switch from Rails 3.2 to Rails 4. I'm trying to make sure I'm as up-to-speed as possible on security issues, and I'm concerned about sessions right now. It looks like Rails 4 has moved away from supporting really anything EXCEPT cookie-based sessions, but it sounds like it's not possible to prevent cookie-based sessions from living forever. I've been reading several articles, but this one is the most official: http://guides.rubyonrails.org/security.html#session-expiry . Notice how they point out that this is an issue for cookie-based sessions, then they give a fix for it for database-based sessions (which are now deprecated, apparently).
I'm really confused. I want to be able to prevent an attacker from getting a cookie that gives him permanent access to my login-protected site. Obviously I can set :expire_after in initializers/session_store.rb, but unless I'm wrong that simply sets the expiration of the cookie which is client-side and easily altered by an attacker so the session can live forever. Of course I can make things better by forcing SSL, using secure cookies, and forcing HTTP only, but this will never be a complete defense until I can enforce session expiry.
How can I solve this problem when Rails is deprecating the only ways to have server-side sessions? Advice would certainly be appreciated!
(P.S. I know active record sessions has been moved into a gem and is still available, but the fact remains that it has been deprecated. A solution should be possible without introducing more dependencies, or at the very least without using deprecated features. I just know I'm missing something)
Frederick Cheung
On Sunday, July 14, 2013 1:22:09 PM UTC+1, Kyle Fazzari wrote:
I've been Googling this question for the past few hours, and I think it's time I simply ask this question myself.
I just made the switch from Rails 3.2 to Rails 4. I'm trying to make sure I'm as up-to-speed as possible on security issues, and I'm concerned about sessions right now. It looks like Rails 4 has moved away from supporting really anything EXCEPT cookie-based sessions, but it sounds like it's not possible to prevent cookie-based sessions from living forever. I've been reading several articles, but this one is the most official: http://guides.rubyonrails.org/security.html#session-expiry . Notice how they point out that this is an issue for cookie-based sessions, then they give a fix for it for database-based sessions (which are now deprecated, apparently).
I'm really confused. I want to be able to prevent an attacker from getting a cookie that gives him permanent access to my login-protected site. Obviously I can set :expire_after in initializers/session_store.rb, but unless I'm wrong that simply sets the expiration of the cookie which is client-side and easily altered by an attacker so the session can live forever. Of course I can make things better by forcing SSL, using secure cookies, and forcing HTTP only, but this will never be a complete defense until I can enforce session expiry.
How can I solve this problem when Rails is deprecating the only ways to have server-side sessions? Advice would certainly be appreciated!
ruby_on_r...@status.e4ward.com
> You received this message because you are subscribed to the Google Groups
> "Ruby on Rails: Talk" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to rubyonrails-ta...@googlegroups.com.
> To post to this group, send email to rubyonra...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/rubyonrails-talk/e1ddca3b-6803-487a-b65c-fdf8de6f0785%40googlegroups.com.
>
> For more options, visit https://groups.google.com/groups/opt_out.
>
>
*face-palm*
Thank you :) . The cookies are encrypted now anyways! I knew I just
wasn't thinking about it quite right.
Kyle