-
-
Notifications
You must be signed in to change notification settings - Fork 45
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Security issue: Two users masquerading to the same user can be logged in as the other person #94
Comments
it's a bit tricky to fix to be honest for now. Let's discuss probably, let's say I removed the session to skip any exposes of encoded data. Rails.cache is safe enough way to keep the data about the requested masquerading user. I had this ticket #83 , going to review the code for now and think how to fix it. |
OK, as an implementation idea, so how about you create a random token ( Then you're not storing anything sensitive in the session, you aren't storing an easily guessable value and if an attacker gets hold of the whole session, they could unmasquerade anyway? Completely up to you, just throwing a suggestion out there :-) |
@andyjeffries looking good. it doesn’t break anything. thank you. I will try to apply it today. |
Hi @andyjeffries Please review PR if you have time: #95 |
I've just noticed I'm using 1.3.11 and it's still happening for me. |
Let's say Admin A and Admin B are both masquerading as User C from their own machines.
A does it first (and
devise_masquerade/app/controllers/devise/masquerades_controller.rb
Line 75 in 931a519
Then A logs out on his machine and suddenly he's logged in as B (which potentially via Pundit or something has different authorisations that he shouldn't have)
I think using the Rails cache isn't the best idea for this, but maybe storing something in the Rails session?
The text was updated successfully, but these errors were encountered: