wvengen
commented
5 years ago Do the maintainers agree? Then I'll submit a PR.
Open wvengen opened 5 years ago
wvengen
commented
5 years ago Do the maintainers agree? Then I'll submit a PR.
jvdp
commented
11 months ago @wvengen only 4 years late with my reply ;)
As you may have seen this gem is deprecated. Do you still use it?
wvengen
commented
11 months ago Hah, thanks for replying :)
Yes, we are still using it, moving to a different admin framework was a big undertaking (our efforts in this direction are stalled), and we kind of decided to keep using this gem. Our expectations of upstream support have dropped to basically zero, indeed.
jvdp
commented
11 months ago We could see if we can transfer ownership or something, though it might actually be simpler to just vendor the gem in your project(s.) I have one project left that uses this and I'm thinking of doing that too.
wvengen
commented
11 months ago We are using it in two projects (core only), so we'll maintain core anyway, to the extent necessary for ourselves. I would be open to keep an eye on this project, as long we are using it.
jvdp
commented
11 months ago @wvengen what's your rubygems handle? You should also be getting the commit bit soon.
wvengen
commented
11 months ago Thank you! :) https://rubygems.org/profiles/wvengen
In https://github.com/brightin/brightcontent/pull/57#discussion_r296152637 it came up that we should probably reset the session after logout and after login.
https://www.owasp.org/index.php/Broken_Authentication_and_Session_Management https://github.com/OWASP/owasp-mstg/blob/master/Document/0x04e-Testing-Authentication-and-Session-Management.md#session-management-best-practices https://github.com/OWASP/owasp-mstg/blob/master/Document/0x04e-Testing-Authentication-and-Session-Management.md#user-logout-and-session-timeouts https://wblinks.com/notes/secure-session-management-tips/
I would come to the conclusion that both are desirable.