All geek questions in one place

Rails 3 with Authlogic and reset_session call

The RoR Security Guide states that you must "issue a new session identifier and declare the old invalid as successful after logging in" using the reset_session method to combat session fixation.

I could not find any recommendations for calling reset_session when using Authlogic. Is this just a case of including a method in a controller method (as shown below)?

I'm just worried about problems for Authlogic, as I can see both user_credentials and user_credentials_id keys and values ​​in a hash session before reset_session is called.

class UserSessionsController < ApplicationController def create @user_session = current_client.user_sessions.new(params[:user_session]) if @user_session.save reset_session flash[:success] = I18n.t(:msg_login_success) redirect_back_or_default application_root_path else render :action => :new end end
+4
source share
2 answers

For reference, this is my current method:

 def create @user_session = current_client.user_sessions.new(params[:user_session]) if @user_session.save # reset session to counter session fixation # whilst retaining values except for those that the application has created specific to the current user temp_session = session.merge("current_user" => {}).clone reset_session session.reverse_merge!(temp_session) # set flash msg and redirect flash[:success] = I18n.t(:msg_login_success) redirect_back_or_default application_root_path else render :action => :new end end

With a reset_session call, it still executes after a successful login as recommended at http://guides.rubyonrails.org/security.html#session-fixation-countermeasures

+1
source

Yes, resetting the session AFTER you log into the user’s system (what seems to be happening?) Is definitely not the case. You want to do this BEFORE a user entry.

Ideally, you want to do this before you log in, but only if the login is really successful - but I'm not sure if you can get auth_logic for this, I'm not very experienced with auth_logic, although this is REALLY a good question for auth_logic, if I were you, I would file it as a support ticket with auth_logic.

But at the same time, you can just try reset_session at the top of the action method to @user_session = current_client.user_sessions.new(params[:user_session]) . I think this will work, and in the worst case, reset the session in some cases when you really didn’t have to (if the user credentials were invalid), but I do not think this will cause a serious problem. (uh-oh, if this does not lead to the loss of verification errors?)

But then again, not an auth_logic expert. I do not expect you to accept this answer, since I have no experience to really answer it, just by sharing what I think, in case it helps you, and giving you some guidance on how to think about this one.

0
source

Source: https://habr.com/ru/post/1432262/

More articles:


All Articles