Skip to content

Loading…

Authlogic disables CSRF protection by default #310

Open
jfirebaugh opened this Issue · 4 comments

5 participants

@jfirebaugh

By default authlogic effectively disables CSRF protection, because it does not provide an override of handle_unverified_request that clears the user_credentials cookie. See this blog post for details.

Authlogic should override handle_unverified_request in a manner similar to devise. Current applications using authlogic are vulnerable to CSRF unless they provide such an override themselves.

@james

I have found this issue too. It took me ages to figure out, and requires you to have noticed it in the first place, which is unlikely.

I am happy to write a patch if wanted.

@maletor

This is a vulnerability @binarylogic.

@garygreyling

As I see it, a universal fix isn't that simple. Authlogic requires that you define current_user_session. Which means that the instance variables that cache the current user session could be different in each app, so Authlogic reliably couldn't implement the fix as mentioned here.

The only way to have the fix live within Authlogic, is to change the Authlogic Rails adapter to define current_user_session and thus have Authlogic take control of how the session is cached. And thus be able to kill it more certainly. The problem being, everyone using Authlogic has already implemented current_user_session and may never remove their definition (given that this update happens) and thus still be vulnerable.

So for now, the easiest fix is an app specific definition of handle_unverified_requests as mentioned in the article above. Which sucks, because by default, Authlogic is blatantly susceptible to CSRF attacks. Unless of course, we make a small but fundamental change to its interface and get everyone to update not just their version, but their implementation :)

@rickharris rickharris referenced this issue
Commit has since been removed from the repository and is no longer available.
@latortuga

Obviously this issue has been addressed by the comments above by @garygreyling. However, it's really undesireable to have this gem be insecure by default - at the very least it goes against what Rails stands for (convention over configuration). Could it provide a default implementation or at the very least, a call out in the README to implement one yourself?

@lukeasrodgers lukeasrodgers added a commit to lukeasrodgers/authlogic that referenced this issue
@lukeasrodgers lukeasrodgers Adding note about CSRF protection to README.
Fixes #310
3fef837
@lukeasrodgers lukeasrodgers added a commit to lukeasrodgers/authlogic that referenced this issue
@lukeasrodgers lukeasrodgers Adding note about CSRF protection to README.
Fixes #310
72a7c1b
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Something went wrong with that request. Please try again.