Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Absolute timeout of the session (session not extended by the last activity) #5715

Open
Mathiou04 opened this issue Sep 17, 2024 · 2 comments
Open

Absolute timeout of the session (session not extended by the last activity) #5715

Mathiou04 opened this issue Sep 17, 2024 · 2 comments

Comments

@Mathiou04
Copy link

Issue description

Currently the session cookie created by devise seems to be re-usable indefinitely.
It looks like a security issue, as if for any reason a user has his session cookie leaked, then this cookie allows anyone to impersonate the user for as long as they want.

Suggestion

I am not sure if there is a way currently to invalidate previous session cookies (changing password?), but for example the timeout module which prevents this issue to a certain extent can be circumvented:
a malicious user can extend the validity of the cookie by performing legitimate HTTP requests with the still valid cookie.

A way to ensure the cookie is not re-usable indefinitely would be to provide an expiry date that can not be extended (not dependent on user activity) as already suggested here a few years back.

Would you be open to support such a feature?
@himanshu123456789000
Copy link

You can set a hard expiry for session cookies by configuring the expire_after option in Rails' session store. This will ensure that a session cookie cannot be reused after a specific time, no matter how active the user has been

Here's how you can set it in config/initializers/session_store.rb:

Rails.application.config.session_store :cookie_store, key: '_your_app_session', expire_after: 30.minutes

@Mathiou04
Copy link
Author

Thanks for the reply @himanshu123456789000

I tried this option but:

  • it sets an expiry date on the cookie (using the native mechanism) changing the cookie from a session cookie to persistent cookie.

The consequence is that this cookie won't expire when the browser is closed, it will be stored on the user's device, which is not a good security practice.
In our case we would like to keep a session cookie (that disappears after the browser is closed) but also add an expiry mechanism in case the browser stays open for too long, re-using the same session cookie.

  • using the rails expiry mechanism, we can't manage the different types of accounts separately (for example if we have 2 different Devise models)
    It is possible to have different security constraints on different account types and for example not wanting to expire all authentication sessions the same way.

  • it seems that this expiry is extended on each requests, exactly like the Timeout module (I would need to cross-check that though)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@Mathiou04 @himanshu123456789000