yegor256
commented
5 years ago @ro31337 definitely a bug and a request for improvement, thanks!
Open ro31337 opened 6 years ago
yegor256
commented
5 years ago @ro31337 definitely a bug and a request for improvement, thanks!
Gem is nice, but this code doesn't look very secure:
You delete a cookie from the client, but if it has been compromised already (cookie was stolen), attacker can replay this cookie and use it forever.
There are few ways to avoid that:
Set cookie expiration date. It won't help from replay attacks, but cookie will expire at some point of time, it won't be valid forever. And on every [second/100th] request you can replace existing cookie with new expiration date.
Keep id in the cookie and put it in storage. In this case you'll hit database on each visit, so NoSQL databases can handle that. On logout cookie won't be valid anymore, because it will be removed from storage.
I think gem should have some storage callbacks or accept storage object, so cookies can be secure enough. With current implementation cookies are valid forever and it's not good.