stackoom
  简体   繁体   中英

Rails 4: Does Devise address session fixation by resetting session after login?

 原文  2015-07-04 03:55:48       ruby-on-rails/ security/ session/ ruby-on-rails-4/ devise

Question

I'm going through the Rails Security Guide and I'm trying to figure out if I need to address session fixation by resetting the user's session after login and assigning the new session to the user.

I'm using Devise 3.4.1 right now. Does Devise automatically take care of this? If not, what do I need to change to protect my site against session fixation?

1 answers

solution1
 4 ACCPTED  2015-07-04 08:09:26

Devise is not vulnerable to session fixation attacks, as of this commit on November 20th, 2010 ( related blog post ).

This is confirmed by Jose Valim, one of its authors, in a blog post about CSRF token fixation attacks.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Devise Resetting Session On Login Rails devise does not start session after registration session fixation After upgrading to Rails 3.2.2 and Devise 2.0.4, logout does not destroy session How does Rails / Devise relate a session to a user? Rails 4 - Devise not binding session Devise rails session ID Destroy Session, Rails Devise Already login How to override user session + devise + rails Working with Devise Login / Session Validation Error Messages in Rails 5.0
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM