mikker
commented
2 years ago You could be right. I don't have the time for a deep dive right now, but it looks like the fix is just to add that reset_session upon sign in? A PR is very welcome!
Closed xdmx closed 2 years ago
mikker
commented
2 years ago You could be right. I don't have the time for a deep dive right now, but it looks like the fix is just to add that reset_session upon sign in? A PR is very welcome!
Hey @mikker, I was going through the Rails' security guide and reading about the Session Fixation attack, it seems that Passwordless might be afftected by that as it never resets the session after the sign in (and only on the sign out)
I haven't double checked it, I only went through the current code and I wanted to let you know.