I''ve been Googling this question for the past few hours, and I think it''s time I simply ask this question myself. I just made the switch from Rails 3.2 to Rails 4. I''m trying to make sure I''m as up-to-speed as possible on security issues, and I''m concerned about sessions right now. It looks like Rails 4 has moved away from supporting really anything EXCEPT cookie-based sessions, but it sounds like it''s not possible to prevent cookie-based sessions from living forever. I''ve been reading several articles, but this one is the most official: http://guides.rubyonrails.org/security.html#session-expiry . Notice how they point out that this is an issue for cookie-based sessions, then they give a fix for it for database-based sessions (which are now deprecated, apparently). I''m really confused. I want to be able to prevent an attacker from getting a cookie that gives him permanent access to my login-protected site. Obviously I can set :expire_after in initializers/session_store.rb, but unless I''m wrong that simply sets the expiration of the cookie which is client-side and easily altered by an attacker so the session can live forever. Of course I can make things better by forcing SSL, using secure cookies, and forcing HTTP only, but this will never be a complete defense until I can enforce session expiry. How can I solve this problem when Rails is deprecating the only ways to have server-side sessions? Advice would certainly be appreciated! (P.S. I know active record sessions has been moved into a gem and is still available, but the fact remains that it has been deprecated. A solution should be possible without introducing more dependencies, or at the very least without using deprecated features. I just know I''m missing something) -- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To unsubscribe from this group and stop receiving emails from it, send an email to rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org To view this discussion on the web visit https://groups.google.com/d/msgid/rubyonrails-talk/cd692d68-e976-4cd6-83c6-52a784e513f6%40googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.
On Sunday, July 14, 2013 1:22:09 PM UTC+1, Kyle Fazzari wrote:> > I''ve been Googling this question for the past few hours, and I think it''s > time I simply ask this question myself. > > I just made the switch from Rails 3.2 to Rails 4. I''m trying to make sure > I''m as up-to-speed as possible on security issues, and I''m concerned about > sessions right now. It looks like Rails 4 has moved away from supporting > really anything EXCEPT cookie-based sessions, but it sounds like it''s not > possible to prevent cookie-based sessions from living forever. I''ve been > reading several articles, but this one is the most official: > http://guides.rubyonrails.org/security.html#session-expiry . Notice how > they point out that this is an issue for cookie-based sessions, then they > give a fix for it for database-based sessions (which are now deprecated, > apparently). > > I''m really confused. I want to be able to prevent an attacker from getting > a cookie that gives him permanent access to my login-protected site. > Obviously I can set :expire_after in initializers/session_store.rb, but > unless I''m wrong that simply sets the expiration of the cookie which is > client-side and easily altered by an attacker so the session can live > forever. Of course I can make things better by forcing SSL, using secure > cookies, and forcing HTTP only, but this will never be a complete defense > until I can enforce session expiry. > > How can I solve this problem when Rails is deprecating the only ways to > have server-side sessions? Advice would certainly be appreciated! > > > You can store a ''valid_until'' timestamp in the session. The attacker can''tchange this timestamp since it would change the cookie signature. Whenever you get a session with a valid_until in the past, reset the session. Fred -- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To unsubscribe from this group and stop receiving emails from it, send an email to rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org To view this discussion on the web visit https://groups.google.com/d/msgid/rubyonrails-talk/e1ddca3b-6803-487a-b65c-fdf8de6f0785%40googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.
<ruby_on_rails_talk-1ADi/evJQotwe3NPdxwmkAC/G2K4zDHf@public.gmane.org>
2013-Jul-15 13:23 UTC
Re: Re: Rails 4: Session Expiry?
On Mon, Jul 15, 2013 at 7:09 AM, Frederick Cheung <frederick.cheung-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> wrote:> > > On Sunday, July 14, 2013 1:22:09 PM UTC+1, Kyle Fazzari wrote: >> >> I''ve been Googling this question for the past few hours, and I think it''s >> time I simply ask this question myself. >> >> I just made the switch from Rails 3.2 to Rails 4. I''m trying to make sure >> I''m as up-to-speed as possible on security issues, and I''m concerned about >> sessions right now. It looks like Rails 4 has moved away from supporting >> really anything EXCEPT cookie-based sessions, but it sounds like it''s not >> possible to prevent cookie-based sessions from living forever. I''ve been >> reading several articles, but this one is the most official: >> http://guides.rubyonrails.org/security.html#session-expiry . Notice how they >> point out that this is an issue for cookie-based sessions, then they give a >> fix for it for database-based sessions (which are now deprecated, >> apparently). >> >> I''m really confused. I want to be able to prevent an attacker from getting >> a cookie that gives him permanent access to my login-protected site. >> Obviously I can set :expire_after in initializers/session_store.rb, but >> unless I''m wrong that simply sets the expiration of the cookie which is >> client-side and easily altered by an attacker so the session can live >> forever. Of course I can make things better by forcing SSL, using secure >> cookies, and forcing HTTP only, but this will never be a complete defense >> until I can enforce session expiry. >> >> How can I solve this problem when Rails is deprecating the only ways to >> have server-side sessions? Advice would certainly be appreciated! >> >> > You can store a ''valid_until'' timestamp in the session. The attacker can''t > change this timestamp since it would change the cookie signature. Whenever > you get a session with a valid_until in the past, reset the session. > > Fred > > -- > You received this message because you are subscribed to the Google Groups > "Ruby on Rails: Talk" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org > To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org > To view this discussion on the web visit > https://groups.google.com/d/msgid/rubyonrails-talk/e1ddca3b-6803-487a-b65c-fdf8de6f0785%40googlegroups.com. > > For more options, visit https://groups.google.com/groups/opt_out. > >*face-palm* Thank you :) . The cookies are encrypted now anyways! I knew I just wasn''t thinking about it quite right. Kyle -- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To unsubscribe from this group and stop receiving emails from it, send an email to rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org To view this discussion on the web visit https://groups.google.com/d/msgid/rubyonrails-talk/CAMvhsDYNOzUtiitWhaxm-xkVGjtvHKz-FQ8PS6%3Dx4HbVZHXH3g%40mail.gmail.com. For more options, visit https://groups.google.com/groups/opt_out.