Closed biinari closed 1 year ago
Fixes #145.
Addresses CVE-2019-16782
Use the private_id from Rack::Session::SessionId added in https://github.com/rack/rack/commit/cc1d162d28396b6a71f266e6a40ffc19a258792b as the key to store in redis. This should prevent a timing attack based on session lookup.
private_id
Rack::Session::SessionId
Fallback on the old redis key as the public_id so that old sessions continue to work.
public_id
Great job! Thanks
Jesterovskiy
commented
1 year ago Jesterovskiy
commented
1 year ago
Fixes #145.
Addresses CVE-2019-16782
Use the
private_idfromRack::Session::SessionIdadded in https://github.com/rack/rack/commit/cc1d162d28396b6a71f266e6a40ffc19a258792b as the key to store in redis. This should prevent a timing attack based on session lookup.Fallback on the old redis key as the
public_idso that old sessions continue to work.