stackoom
  简体   繁体   中英

Rails: Devise not properly destroying user session cookie after calling destroy_user_session_path

 原文  2013-06-07 14:31:13       ruby-on-rails/ cookies/ devise

Question

Hi I am using the Devise LDAP Authenticatable gem, and I am running into some issues trying to properly invalidate the session cookie.

Ex:

  • A user logs into the application and saves his session cookie
  • The user logs out and is given a new session cookie
  • The user can log back into the server by forcing his browser to use the old session cookie he saved

This is a security issue I need to get resolved, since this allows a hacker to just sniff the cookie and authenticate himself as an authorized user logged into the app.

It seems like when I call destroy_user_session_path, Devise LDAP does not actually invalidate the old session, instead it just creates a new session and gives it the users browser.

Is there any devise settings I can use to change this. I really don't want to change the actual devise gem myself.

devise.rb 

Devise.setup do |config|

  config.ldap_create_user = true
  config.ldap_update_password = false

  config.mailer_sender = "please-change-me-at-config-initializers-devise@example.com"

  require 'devise/orm/active_record'

  config.authentication_keys = [ :email ]

  config.case_insensitive_keys = [ :email ]

  config.strip_whitespace_keys = [ :email ]

  config.skip_session_storage = [:http_auth]

  config.stretches = Rails.env.test? ? 1 : 10

  config.reconfirmable = true

  config.reset_password_within = 6.hours

  config.sign_out_via = :delete

end

2 answers

solution1
 1  2013-10-04 18:45:06

This is the standard behavior for a cookie based session store - specifically the default Rails/Rack CookieStore. The session is completely saved in the cookie and there is no session state (as far as I know) on the server. What this means is that if anyone steals the cookie they have access to that users account and the only way to invalidate the cookie is to change the secret used to digitally sign the cookie. The best defense is to use SSL for your whole site. You can also add some before/after filters to ApplicationController and apply some other mitigation strategies such as timestamps and keeping a list of valid/active sessions. This link does a good job of describing some options:

https://www.coffeepowered.net/2013/09/26/rails-session-cookies/

solution2
 0  2018-03-28 14:59:23

Here issue: https://github.com/plataformatec/devise/issues/3031

You must change session store to Active Record Session Store - https://github.com/rails/activerecord-session_store

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Devise destroy_user_session_path on heroku Devise Action Before Destroy_User_Session_Path devise destroy_user_session_path dont work on digitalocean Devise destroy_user_session_path doesn't work Rails & Devise: destroy_user_session_path going to Users#Show? Rails app cannot find 'destroy_user_session_path' in javascript destroy_user_session_path is triggering GET instead of DELETE in Rails Rails 6: link to destroy_user_session_path using GET instead of DELETE Destroy user session without Devise Rails 5 destroy devise user session on log in
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM