Menu
Is devise vulnerable to session hijacking over a normal http:// connection? I am having trouble figuring it out from the documentation.
486
Yes. Rails' default way to manage sessions is susceptible to hijacking.
This is because it transmits to the client all the information the client further requires to identify itself in HTTP cookies. For the most part, anybody who can intercept the HTTP connection can assume the identity of the client from Rails' perspective.
The simplest countermeasure is to only serve your site via HTTPS and have Rails issue secure cookies, which tells the browser only to send that cookie via HTTPS. The security guide has more helpful tips.
95
As mentioned in this email on Devise discussion group, security setup for the application is in the domain of the main application (in this case, Rails, I assume).
Do check out the RailsCast episode - Dangers of Session Hijacking to deal with session hijacking at the Rails Application level.
Rails Security Guide's section on Session Hijacking is another must read resource.
Devise provides for forcing SSL only cookies by setting :secure => true in the config/initializers/devise.rb file of a Rails App.
25
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
