Hi,
Looks like login method resets and restores session. But auto_login method doesn't.
I think auto_login method should too. Hou about? 👀
Ruby On Rails Security Guide
The most effective countermeasure is to issue a new session identifier and declare the old one invalid after a successful login. That way, an attacker cannot use the fixed session identifier. This is a good countermeasure against session hijacking, as well. Here is how to create a new session in Rails: reset_session
If you use the popular RestfulAuthentication plugin for user management, add reset_session to the SessionsController#create action. Note that this removes any value from the session, you have to transfer them to the new session.
|
def auto_login(user, _should_remember = false) |
|
session[:user_id] = user.id.to_s |
|
@current_user = user |
|
end |
|
def login(*credentials) |
|
@current_user = nil |
|
|
|
user_class.authenticate(*credentials) do |user, failure_reason| |
|
if failure_reason |
|
after_failed_login!(credentials) |
|
|
|
yield(user, failure_reason) if block_given? |
|
|
|
# FIXME: Does using `break` or `return nil` change functionality? |
|
# rubocop:disable Lint/NonLocalExitFromIterator |
|
return |
|
# rubocop:enable Lint/NonLocalExitFromIterator |
|
end |
|
|
|
old_session = session.dup.to_hash |
|
reset_sorcery_session |
|
old_session.each_pair do |k, v| |
|
session[k.to_sym] = v |
|
end |
|
form_authenticity_token |
|
|
|
auto_login(user, credentials[2]) |
|
after_login!(user, credentials) |
|
|
|
block_given? ? yield(current_user, nil) : current_user |
|
end |
|
end |
Hi,
Looks like
loginmethod resets and restores session. Butauto_loginmethod doesn't.I think
auto_loginmethod should too. Hou about? 👀Ruby On Rails Security Guide
sorcery/lib/sorcery/controller.rb
Lines 116 to 119 in 4485701
sorcery/lib/sorcery/controller.rb
Lines 37 to 64 in 4485701