On Mon, Jul 15, 2013 at 7:09 AM, Frederick Cheung <frederick.che...@gmail.com> wrote: > > > On Sunday, July 14, 2013 1:22:09 PM UTC+1, Kyle Fazzari wrote: >> >> I've been Googling this question for the past few hours, and I think it's >> time I simply ask this question myself. >> >> I just made the switch from Rails 3.2 to Rails 4. I'm trying to make sure >> I'm as up-to-speed as possible on security issues, and I'm concerned about >> sessions right now. It looks like Rails 4 has moved away from supporting >> really anything EXCEPT cookie-based sessions, but it sounds like it's not >> possible to prevent cookie-based sessions from living forever. I've been >> reading several articles, but this one is the most official: >> http://guides.rubyonrails.org/security.html#session-expiry . Notice how they >> point out that this is an issue for cookie-based sessions, then they give a >> fix for it for database-based sessions (which are now deprecated, >> apparently). >> >> I'm really confused. I want to be able to prevent an attacker from getting >> a cookie that gives him permanent access to my login-protected site. >> Obviously I can set :expire_after in initializers/session_store.rb, but >> unless I'm wrong that simply sets the expiration of the cookie which is >> client-side and easily altered by an attacker so the session can live >> forever. Of course I can make things better by forcing SSL, using secure >> cookies, and forcing HTTP only, but this will never be a complete defense >> until I can enforce session expiry. >> >> How can I solve this problem when Rails is deprecating the only ways to >> have server-side sessions? Advice would certainly be appreciated! >> >> > You can store a 'valid_until' timestamp in the session. The attacker can't > change this timestamp since it would change the cookie signature. Whenever > you get a session with a valid_until in the past, reset the session. > > Fred > > -- > You received this message because you are subscribed to the Google Groups > "Ruby on Rails: Talk" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to rubyonrails-talk+unsubscr...@googlegroups.com. > To post to this group, send email to rubyonrails-talk@googlegroups.com. > To view this discussion on the web visit > https://groups.google.com/d/msgid/rubyonrails-talk/e1ddca3b-6803-487a-b65c-fdf8de6f0785%40googlegroups.com. > > For more options, visit https://groups.google.com/groups/opt_out. > >
*face-palm* Thank you :) . The cookies are encrypted now anyways! I knew I just wasn't thinking about it quite right. Kyle -- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To unsubscribe from this group and stop receiving emails from it, send an email to rubyonrails-talk+unsubscr...@googlegroups.com. To post to this group, send email to rubyonrails-talk@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/rubyonrails-talk/CAMvhsDYNOzUtiitWhaxm-xkVGjtvHKz-FQ8PS6%3Dx4HbVZHXH3g%40mail.gmail.com. For more options, visit https://groups.google.com/groups/opt_out.