Hi I am using the Devise LDAP Authenticatable gem, and I am running into some issues trying to properly invalidate the session cookie.
Ex:
This is a security issue I need to get resolved, since this allows a hacker to just sniff the cookie and authenticate himself as an authorized user logged into the app.
It seems like when I call destroy_user_session_path, Devise LDAP does not actually invalidate the old session, instead it just creates a new session and gives it the users browser.
Is there any devise settings I can use to change this. I really don't want to change the actual devise gem myself.
devise.rb
Devise.setup do |config|
config.ldap_create_user = true
config.ldap_update_password = false
config.mailer_sender = "please-change-me-at-config-initializers-devise@example.com"
require 'devise/orm/active_record'
config.authentication_keys = [ :email ]
config.case_insensitive_keys = [ :email ]
config.strip_whitespace_keys = [ :email ]
config.skip_session_storage = [:http_auth]
config.stretches = Rails.env.test? ? 1 : 10
config.reconfirmable = true
config.reset_password_within = 6.hours
config.sign_out_via = :delete
end
This is the standard behavior for a cookie based session store - specifically the default Rails/Rack CookieStore. The session is completely saved in the cookie and there is no session state (as far as I know) on the server. What this means is that if anyone steals the cookie they have access to that users account and the only way to invalidate the cookie is to change the secret used to digitally sign the cookie. The best defense is to use SSL for your whole site. You can also add some before/after filters to ApplicationController and apply some other mitigation strategies such as timestamps and keeping a list of valid/active sessions. This link does a good job of describing some options:
https://www.coffeepowered.net/2013/09/26/rails-session-cookies/
Here issue: https://github.com/plataformatec/devise/issues/3031
You must change session store to Active Record Session Store - https://github.com/rails/activerecord-session_store
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.