What do you think about providing the option to silently ignore the lack of session middleware for those protections that depend on it. Right now, a runtime error is thrown if a protection tries to access the rack session when one isn't loaded. This is problematic when implementing Rack::Protection with my framework Scorched as Scorched doesn't do any automatic loading of session middleware.
The only way I can make Rack::Protection work in the case of Scorched is to exclude all those protections that try to access the session. I don't like this however because obviously you're excluding valuable protections while giving users a false sense of security. I'd much rather have Rack::Protection protection sessions if available, or perhaps a warning is more suitable so if there's a middleware ordering issue, it's not completely hidden.
Can I therefore propose an option be added to silently ignore the lack of session middleware? E.g. use Rack::Protection, ignore_missing_session: true or use Rack::Protection, lazy_session: true
use Rack::Protection, ignore_missing_session: true
use Rack::Protection, lazy_session: true
Maybe you can think of a better name. Thoughts?
I don't know. The issue is that it's absolutely necessary for people to set up the session middleware before the protection middleware, otherwise most protections won't work. Would moving the logic that Sinatra has right now to rack-protection be sufficient?
I do need to add my two cents to it: I have an app which does have a public API and there I do need not session and I do not want to have such a session. for that reason I use
Rack::Csrf which allows me to add path pattern where to skip that middleware, i.e. where I do not want a session and for rack-proctection I added a small middleware which deletes the Session-Cookie on path-pattern where I do not want to have a session.
BTW I found only the following middleware which needs a session:
I rather have a way to deal with session somehow via options, like the skip from Rack::Csrf
Thanks for the input. I think which route to protect against certain attacks and which not should be handled by a rack router, not every single middleware should implement path matching logic (esp. since it's not easy).
As yo disabling all session protections at once, Sinatra already has logic for this, I think we should just port that over.
Perhaps implementing something similar to the Sinatra logic would be the way to go then.
I got the same error in rails 3.2, I think it will be nice to add this to the readme like how to setup the middleware before setting up rack-protection.
Hi! I just got hit by the same problem after installing the gem and adding the two lines as documented. I cannot find much documentation on the topic, about what is exactly needed and how to set it up. A brief not to the README would be much appreciated.