-
Notifications
You must be signed in to change notification settings - Fork 637
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
user_credential cookie vulnerable to replay attack after user logs out #309
Comments
Any updates on this? |
Why wouldn't a link between session and user be stored in the server? I was under the assumption the logged in user was associated with a session. I spent hours trying to find the association in my database until I looked at the cookie and saw that user identification and user session are independently in the cookie. From what I can tell, there is no way from the server side to know which session is associated with which user. This is important for banning users, where you might want to immediately invalidate their session. In order to invalidate a session in this way, you need to know all sessions associated with one user. |
@jmaxxz wondering, as it's been 3 years.. you ever found a way to overcome this? |
Some thoughts:
|
@AvnerCohen use JWT tokens instead of this project. It has been a while since I have done RoR work so I don't feel I can provide you good advice on a lib to do that. |
@jmaxxz thanks :) I'm way after the call on what project to use. JWT where I can, but this is some legacy I can't easily drop. @tiegz thanks for your input. Yeah, multiple persistence_tokens seems to be a reasonable solution. I'll check to see if this something we require. |
@AvnerCohen you ever find a good solution to this? Same boat, legacy code :/ |
@grantgeorge Nope, never found one. From security stand point, the only thing one can say is that if an attacker got your login cookie (and SSL is assumed), he is probably on your machine already, so maybe this is the least of your concerns... |
@AvnerCohen dang, thanks man. As far as I can tell Authlogic uses this user_credentials cookie to determine if a session exists. It makes no sense to me why it can't just depend on session |
@grantgeorge authlogic tries both cookie and session. OTOH I think you may be able to set |
Hello, I'm going through old authlogic issues and seeing what to do with them. If this is a feature suggestion, it's still relevant, and you are committed to If this is a usage question, please ask it on stackoverflow. Unfortunately, Thanks! |
user_credential cookie is the same every-time a user logs in. System should generate a new random user_credential every time user logs in. When a user logs out this session credential should be invalidated. This is a risk because under the current implementation if a user's user_credential is ever compromised it remains usable as a credential long after the user has logged out.
Consider tracking user session credentials and expiration in a separate table, this way the persistence token for each user session can b randomly generated at every login, expired after a specified time, and disabled by user. (think of gmail's log me out from all other locations feature.)
The text was updated successfully, but these errors were encountered: