Enforce a lifetime on session cookies

Problem described in http://seclists.org/fulldisclosure/2013/Sep/145

Pattern taken from https://www.coffeepowered.net/2013/09/26/rails-session-cookies/

1 files changed, 25 insertions, 0 deletions

diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb
index 1ccf7e5db..a06fa7098 100644
--- a/app/controllers/application_controller.rb
+++ b/app/controllers/application_controller.rb
@@ -30,6 +30,8 @@ class ApplicationController < ActionController::Base
     before_filter :check_in_post_redirect
     before_filter :session_remember_me
     before_filter :set_vary_header
+    before_filter :validate_session_timestamp
+    after_filter  :persist_session_timestamp
 
     def set_vary_header
         response.headers['Vary'] = 'Cookie'
@@ -121,6 +123,29 @@ class ApplicationController < ActionController::Base
         end
     end
 
+    # Set a TTL for non "remember me" sessions so that the cookie
+    # is not replayable forever
+    SESSION_TTL = 3.hours
+    def validate_session_timestamp
+        if session[:user_id] && session.key?(:ttl) && session[:ttl] < SESSION_TTL.ago
+            clear_session_credentials
+            redirect_to signin_path
+        end
+    end
+
+    def persist_session_timestamp
+        session[:ttl] = Time.now if session[:user_id] && !session[:remember_me]
+    end
+
+    # Logout form
+    def clear_session_credentials
+        session[:user_id] = nil
+        session[:user_circumstance] = nil
+        session[:remember_me] = false
+        session[:using_admin] = nil
+        session[:admin_name] = nil
+    end
+
     def render_exception(exception)
         # In development or the admin interface let Rails handle the exception
         # with its stack trace templates