Use AbstractSecureStore for security fix

roidrage / redis-session-store

A simple session store for Rails based on Redis.

http://github.com/roidrage/redis-session-store

MIT License

366 stars 147 forks source link

Use AbstractSecureStore for security fix #125

Closed zbelzer closed 2 years ago

zbelzer commented 3 years ago

This allows the store to take advantage of security fix added in https://github.com/rack/rack/commit/cc1d162d28396b6a71f266e6a40ffc19a258792b

baburdick commented 3 years ago

This addresses this Rack vulnerability: https://nvd.nist.gov/vuln/detail/CVE-2019-16782

mitchellhenke commented 2 years ago

Is there anything holding this up from being merged? 🙂

n-rodriguez commented 2 years ago

Hi there! Any news?

Jesterovskiy commented 2 years ago

Thanks!

mitchellhenke commented 1 year ago

I'm not sure that this patch completely addresses the vulnerability described since the gem still uses the session identifier in the cookie as the key in Redis.