Don't store auth token in cookies by releu
We had a security hole because we store auth token in cookies..
This code is unsecured:
def current_user
@current_user ||= (User.find_by_id(session[:user_id]) || begin
Account::Cookie.user_by_secret(cookies[:secret])
end)
end
How to hack:
Assume that othersite.com has follow html:
<form action="http://gistflow.com/account/following/releu" method="post">
</form>
$('form').submit();
Query doesn't have a #CSRF token and #rails will nullify current user session, but user will be found by token in cookies.
Right solution is to store only public information in cookies.
In order to save user's session after closing browser you should increase the lifetime of session.
Gistflow::Application.config.session_store :redis_store, expire_after: 8.days
Now if we receive a request without token we nullify session and nothing bad will happens.
P.S. Don't trust all that you google. This solution has same bug - http://railscasts.com/episodes/274-remember-me-reset-password.
Comments
makaroni4 commented 11 months ago
@homakov found this bug, thanks a lot, Egor!
cvb commented 11 months ago
You actually can keep it in cookie, but should clean it with session cookie in case of wrong csrf, you also can keep it right in session cookie
and btw just 8 days session lifetime is too small :(