Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Rails 4: Session Expiry?

Tags:

cookies

session

ruby-on-rails-4

I just made the switch from Rails 3.2 to Rails 4. I'm trying to make sure I'm as up-to-speed as possible on security issues, and I'm concerned about sessions right now. It looks like Rails 4 has moved away from supporting really anything EXCEPT cookie-based sessions, but it sounds like it's not possible to prevent cookie-based sessions from living forever. I've been reading several articles, but this one is the most official: http://guides.rubyonrails.org/security.html#session-expiry . Notice how they point out that this is an issue for cookie-based sessions, then they give a fix for it for database-based sessions (which are now deprecated, apparently).

I'm really confused. I want to be able to prevent an attacker from getting a cookie that gives him permanent access to my login-protected site. Obviously I can set :expire_after in initializers/session_store.rb, but unless I'm wrong that simply sets the expiration of the cookie which is client-side and easily altered by an attacker so the session can live forever. Of course I can make things better by forcing SSL, using secure cookies, and forcing HTTP only, but this will never be a complete defence until I can enforce session expiry.

How can I solve this problem when Rails is deprecating the only ways to have server-side sessions?

I know active record sessions has been moved into a gem and is still available, but the fact remains that it has been deprecated. A solution should be possible without introducing more dependencies, or at the very least without using deprecated features.

like image 377
kyrofa Avatar asked Jul 05 '13 03:07

kyrofa

Video Answer

1 Answers

Rails has "tamper-proof" session cookies. To prevent session hash tampering, a digest is calculated from the session with a server-side secret and inserted into the end of the cookie. Just make sure you have a long secret. If you want to periodically reset all user sessions change your secret.

To answer your question, if you want to add an extra time-out to the session data you could do:

session[:user_id] = user.id session[:expires_at] = Time.current + 24.hours

Then, when authenticating users, do:

if session[:expires_at] < Time.current   # sign out user end

Hope that helps.

like image 194
Patrick Reiner Avatar answered Sep 19 '22 21:09

Patrick Reiner
Sign in to Comment

Related questions

Flask permanent session: where to define them?
session_start hangs
What are the benefits of a stateless web application?
ExpressJS & Websocket & session sharing
How to kill a/all php sessions?
Importance of session secret key in Express web framework
How to check if a session is invalid
Could not initialize proxy - no Session
Sticky Sessions and Session Replication
Warning: connect.session() MemoryStore is not designed for a production environment, as it will leak memory, and will not scale past a single process
Connection problems with SQL Server in ASP.NET applications using out-of-process session state
hibernate session.save() does not reflect in database
asp.net - session - multiple browser tabs - different sessions?
Storing custom objects in Sessions
Read Session Id using Javascript
How the session work in asp.net?
How to auto save vim session on quit and auto reload on start including split window state?
$this->session->set_flashdata() and then $this->session->flashdata() doesn't work in codeigniter
Undefined variable: _SESSION when sending variables via post through JavaScript trigger
how safe is it to use session variables - asp.net / c#

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!