Absolute timeout of the session (session not extended by the last activity)

[Mathiou04]

Issue description

Currently the session cookie created by devise seems to be re-usable indefinitely. It looks like a security issue, as if for any reason a user has his session cookie leaked, then this cookie allows anyone to impersonate the user for as long as they want.

Suggestion

I am not sure if there is a way currently to invalidate previous session cookies (changing password?), but for example the timeout module which prevents this issue to a certain extent can be circumvented: a malicious user can extend the validity of the cookie by performing legitimate HTTP requests with the still valid cookie.

A way to ensure the cookie is not re-usable indefinitely would be to provide an expiry date that can not be extended (not dependent on user activity) as already suggested here a few years back.

Would you be open to support such a feature?

[himanshu123456789000]

You can set a hard expiry for session cookies by configuring the expire_after option in Rails' session store. This will ensure that a session cookie cannot be reused after a specific time, no matter how active the user has been

Here's how you can set it in config/initializers/session_store.rb:

Rails.application.config.session_store :cookie_store, key: '_your_app_session', expire_after: 30.minutes

[Mathiou04]

Thanks for the reply @himanshu123456789000

I tried this option but:

• it sets an expiry date on the cookie (using the native mechanism) changing the cookie from a session cookie to persistent cookie.

The consequence is that this cookie won't expire when the browser is closed, it will be stored on the user's device, which is not a good security practice. In our case we would like to keep a session cookie (that disappears after the browser is closed) but also add an expiry mechanism in case the browser stays open for too long, re-using the same session cookie.

• using the rails expiry mechanism, we can't manage the different types of accounts separately (for example if we have 2 different Devise models) It is possible to have different security constraints on different account types and for example not wanting to expire all authentication sessions the same way.

• it seems that this expiry is extended on each requests, exactly like the Timeout module (I would need to cross-check that though)