New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Improve session expiration #391
Comments
👍, thanks @beaugunderson! cc @squirrelo @antgonza @josenavas @ElDeveloper @adamrp, this approach may be of interest on qiita |
Yes, I like this idea a lot! On (Feb-27-15|15:49), Daniel McDonald wrote:
|
I'm cool with it. |
Makes good sense to me. Security wise, what circumstances would warrant a
|
@adamrp If you found a vulnerability that enabled session highjacking that would be an excellent reason to invalidate all existing sessions. :) |
OK, a simple pull request for this is at #392. |
Currently a new
COOKIE_SECRET
is chosen each time the server starts, invalidating all previous sessions. From discussions with @wasade it seems that this invalidation can be a barrier to deployment (it logs everyone out and that's undesirable).One way to solve this is to move
COOKIE_SECRET
to the configuration file. This would allow sessions (which are just persisted in secure cookies) to persist across server restarts. TheCOOKIE_SECRET
in the configuration could be changed manually if session invalidation is ever desired.If this is an acceptable change I'm happy to write a pull request. :)
The text was updated successfully, but these errors were encountered: