Rails:在调用destroy_user_session_path之后,Devise无法正确销毁用户会话cookie
[英]Rails: Devise not properly destroying user session cookie after calling destroy_user_session_path
问题描述
Hi I am using the Devise LDAP Authenticatable gem, and I am running into some issues trying to properly invalidate the session cookie. 
嗨,我正在使用Devise LDAP Authenticatable gem,并且在尝试正确使会话cookie失效时遇到了一些问题。
Ex: 例如:
- A user logs into the application and saves his session cookie 用户登录到应用程序并保存其会话cookie
- The user logs out and is given a new session cookie 用户注销并获得新的会话cookie
- The user can log back into the server by forcing his browser to use the old session cookie he saved 用户可以通过强制浏览器使用他保存的旧会话cookie来重新登录服务器。
This is a security issue I need to get resolved, since this allows a hacker to just sniff the cookie and authenticate himself as an authorized user logged into the app. 这是我需要解决的安全问题,因为这使黑客可以嗅探cookie并以授权用户身份登录该应用程序来对自己进行身份验证。
It seems like when I call destroy_user_session_path, Devise LDAP does not actually invalidate the old session, instead it just creates a new session and gives it the users browser. 似乎当我调用destroy_user_session_path时,Devise LDAP实际上不会使旧会话无效,而是仅创建一个新会话并将其提供给用户浏览器。
Is there any devise settings I can use to change this. 有什么设计设置可用于更改此设置。 I really don't want to change the actual devise gem myself. 我真的不想自己更改实际的设计宝石。
devise.rb devise.rb
Devise.setup do |config|
config.ldap_create_user = true
config.ldap_update_password = false
config.mailer_sender = "please-change-me-at-config-initializers-devise@example.com"
require 'devise/orm/active_record'
config.authentication_keys = [ :email ]
config.case_insensitive_keys = [ :email ]
config.strip_whitespace_keys = [ :email ]
config.skip_session_storage = [:http_auth]
config.stretches = Rails.env.test? ? 1 : 10
config.reconfirmable = true
config.reset_password_within = 6.hours
config.sign_out_via = :delete
end
2 个解决方案
解决方案1
1 2013-10-04 18:45:06
This is the standard behavior for a cookie based session store - specifically the default Rails/Rack CookieStore. 这是基于cookie的会话存储的标准行为-特别是默认的Rails / Rack CookieStore。 The session is completely saved in the cookie and there is no session state (as far as I know) on the server. 会话完全保存在cookie中,并且在服务器上没有会话状态(据我所知)。 What this means is that if anyone steals the cookie they have access to that users account and the only way to invalidate the cookie is to change the secret used to digitally sign the cookie. 这意味着如果任何人窃取了cookie,他们就可以访问该用户帐户,并且使cookie无效的唯一方法是更改用于对cookie进行数字签名的机密。 The best defense is to use SSL for your whole site. 最好的防御方法是对整个站点使用SSL。 You can also add some before/after filters to ApplicationController and apply some other mitigation strategies such as timestamps and keeping a list of valid/active sessions. 您还可以在ApplicationController之前/之后添加一些过滤器,并应用其他一些缓解策略,例如时间戳和保留有效/活动会话的列表。 This link does a good job of describing some options: 该链接很好地描述了一些选项:
https://www.coffeepowered.net/2013/09/26/rails-session-cookies/ https://www.coffeepowered.net/2013/09/26/rails-session-cookies/
解决方案2
0 2018-03-28 14:59:23
Here issue: https://github.com/plataformatec/devise/issues/3031 在这里发出: https : //github.com/plataformatec/devise/issues/3031
You must change session store to Active Record Session Store - https://github.com/rails/activerecord-session_store 您必须将会话存储更改为Active Record会话存储-https : //github.com/rails/activerecord-session_store
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.