Authlogic disables CSRF protection by default #310

Closed
jfirebaugh opened this Issue May 2, 2012 · 4 comments

Projects

None yet

5 participants

@jfirebaugh

By default authlogic effectively disables CSRF protection, because it does not provide an override of handle_unverified_request that clears the user_credentials cookie. See this blog post for details.

Authlogic should override handle_unverified_request in a manner similar to devise. Current applications using authlogic are vulnerable to CSRF unless they provide such an override themselves.

@james
james commented Aug 28, 2012

I have found this issue too. It took me ages to figure out, and requires you to have noticed it in the first place, which is unlikely.

I am happy to write a patch if wanted.

@maletor
maletor commented Nov 18, 2012

This is a vulnerability @binarylogic.

@garygreyling

As I see it, a universal fix isn't that simple. Authlogic requires that you define current_user_session. Which means that the instance variables that cache the current user session could be different in each app, so Authlogic reliably couldn't implement the fix as mentioned here.

The only way to have the fix live within Authlogic, is to change the Authlogic Rails adapter to define current_user_session and thus have Authlogic take control of how the session is cached. And thus be able to kill it more certainly. The problem being, everyone using Authlogic has already implemented current_user_session and may never remove their definition (given that this update happens) and thus still be vulnerable.

So for now, the easiest fix is an app specific definition of handle_unverified_requests as mentioned in the article above. Which sucks, because by default, Authlogic is blatantly susceptible to CSRF attacks. Unless of course, we make a small but fundamental change to its interface and get everyone to update not just their version, but their implementation :)

@latortuga

Obviously this issue has been addressed by the comments above by @garygreyling. However, it's really undesireable to have this gem be insecure by default - at the very least it goes against what Rails stands for (convention over configuration). Could it provide a default implementation or at the very least, a call out in the README to implement one yourself?

@lukeasrodgers lukeasrodgers added a commit to lukeasrodgers/authlogic that referenced this issue Feb 9, 2015
@lukeasrodgers lukeasrodgers Adding note about CSRF protection to README.
Fixes #310
3fef837
@lukeasrodgers lukeasrodgers added a commit to lukeasrodgers/authlogic that referenced this issue Feb 9, 2015
@lukeasrodgers lukeasrodgers Adding note about CSRF protection to README.
Fixes #310
72a7c1b
@lukeasrodgers lukeasrodgers added a commit to lukeasrodgers/authlogic that referenced this issue Feb 19, 2016
@lukeasrodgers lukeasrodgers Adding note about CSRF protection to README.
Fixes #310
6362d8e
@jaredbeck jaredbeck closed this in #448 Jul 17, 2016
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment