Yep. For starters, you shouldn’t be storing sensitive information in
the URL as HTTP GET, e.g.:
/myBankingApp/showAccount/123-45-6789 # An SSN
While tempting because it’s really easy, this is painfully obviously
Secondly, a short session timeout/cookie lifetime would help mitigate
the problem. A cookie with an expiry in the past will go away when
the browser is closed. At the place I work at, we timeout the user’s
session after about 5 minutes and automatically log them out. This is
extra important because we deal with private health information.
Thirdly, if it’s that sensitive, also consider securing the app
using HTTPS. I know browsers will do things like not caching pages
that use SSL. Hooking into window.close() is only so good, because it
If you look at eBay and Amazon, they constantly ask you to log in.
While being kind of a PITA, it’s pretty secure.
A good way to test your site security would be to go through the app
as a logged in user, close the browser or log out, and then try to go
to a specific page in the user’s history as a non-logged in user.
Obviously having your controllers do “before_filter :login_required”
or whatever is a good thing, but also doing queries that include the
user’s credentials from the session also seems like a good thing.
That way you’re getting the user information from your login
controller and nowhere else.