I’ve been Googling this question for the past few hours, and I think
it’s
time I simply ask this question myself.
I just made the switch from Rails 3.2 to Rails 4. I’m trying to make
sure
I’m as up-to-speed as possible on security issues, and I’m concerned
about
sessions right now. It looks like Rails 4 has moved away from supporting
really anything EXCEPT cookie-based sessions, but it sounds like it’s
not
possible to prevent cookie-based sessions from living forever. I’ve been
reading several articles, but this one is the most official:
Securing Rails Applications — Ruby on Rails Guides . Notice how
they point out that this is an issue for cookie-based sessions, then
they
give a fix for it for database-based sessions (which are now deprecated,
apparently).
I’m really confused. I want to be able to prevent an attacker from
getting
a cookie that gives him permanent access to my login-protected site.
Obviously I can set :expire_after in initializers/session_store.rb, but
unless I’m wrong that simply sets the expiration of the cookie which is
client-side and easily altered by an attacker so the session can live
forever. Of course I can make things better by forcing SSL, using secure
cookies, and forcing HTTP only, but this will never be a complete
defense
until I can enforce session expiry.
How can I solve this problem when Rails is deprecating the only ways to
have server-side sessions? Advice would certainly be appreciated!
(P.S. I know active record sessions has been moved into a gem and is
still
available, but the fact remains that it has been deprecated. A solution
should be possible without introducing more dependencies, or at the very
least without using deprecated features. I just know I’m missing
something)
. The cookies are encrypted now anyways! I knew I just