search

mikker / passwordless

🗝 Authentication for your Rails app without the icky-ness of passwords
MIT License
1.26k stars 87 forks source link

reset session at sign_in for protect from session fixation attacks. #108

Closed madogiwa0124 closed 2 years ago

madogiwa0124 commented 2 years ago

It is recommended to reset the session at sign in for protect from session fixation attacks. So reseted session in Passwordless::ControllerHelpers#sign_in.

2.7 Session Fixation - Countermeasures One line of code will protect you from session fixation. The most effective countermeasure is to issue a new session identifier and declare the old one invalid after a successful login. That way, an attacker cannot use the fixed session identifier. This is a good countermeasure against session hijacking, as well. Here is how to create a new session in Rails: reset_session https://guides.rubyonrails.org/security.html#session-fixation-countermeasures

ex. Sorcery::Controller::InstanceMethods#login in Sorcery

old_session = session.dup.to_hash
reset_sorcery_session
old_session.each_pair do |k, v|
  session[k.to_sym] = v
end

https://github.com/Sorcery/sorcery/blob/6fdc703416b3ff8d05708b05d5a8228ab39032a5/lib/sorcery/controller.rb#L52-L56

How about this PR?

fixed https://github.com/mikker/passwordless/issues/107

rickychilcott commented 2 years ago

This seems reasonable to me. I'm apt to approve and merge. @madogiwa0124 have you tried your fork in one of your own applications to ensure there are no downsides to this approach?

Thank you for jumping on this.

madogiwa0124 commented 2 years ago

@rickychilcott

Thanks for your comment!

I just tried forking on my application and it seems to be working fine. Here is what I actually did.

mikker commented 2 years ago

Thank you both for helping out. Don't forget a changelog entry if you decide to include this, @rickychilcott 😊

rickychilcott commented 2 years ago

My review on this one is good, but let me spin up a test project here and merge/changlog/bump if all goes well.

rickychilcott commented 2 years ago

I bumped to version 0.11.0 and added a changelog entry in 74e753068309a744a28e9432e2681a00178eeb0b. @mikker I'm not sure I have the ability to release the gem. If that's something you want to give to me, great. Otherwise, I wonder if we could work up a github action flow to possibly auto-publish.

rickychilcott commented 2 years ago

https://andrewm.codes/blog/automating-ruby-gem-releases-with-github-actions/ could be a good read and an hour of work to save pain for the future :)

mikker commented 2 years ago

You can absolutely be a maintainer on RubyGems. Appreciate all your help here very much. Do I just use the e-mail address that I already have?

rickychilcott commented 2 years ago

Same email. I couldn't readily find that email communication, so... I commented here. Thanks!