From d76c2e82328ed2a00add7bdfb528ed4393e640b7 Mon Sep 17 00:00:00 2001 From: Louise Crow Date: Fri, 21 Nov 2014 14:54:26 +0000 Subject: Enforce a lifetime on session cookies Problem described in http://seclists.org/fulldisclosure/2013/Sep/145 Pattern taken from https://www.coffeepowered.net/2013/09/26/rails-session-cookies/ --- app/controllers/application_controller.rb | 25 +++++++++++++++++++++++++ 1 file changed, 25 insertions(+) (limited to 'app/controllers/application_controller.rb') diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb index 1ccf7e5db..a06fa7098 100644 --- a/app/controllers/application_controller.rb +++ b/app/controllers/application_controller.rb @@ -30,6 +30,8 @@ class ApplicationController < ActionController::Base before_filter :check_in_post_redirect before_filter :session_remember_me before_filter :set_vary_header + before_filter :validate_session_timestamp + after_filter :persist_session_timestamp def set_vary_header response.headers['Vary'] = 'Cookie' @@ -121,6 +123,29 @@ class ApplicationController < ActionController::Base end end + # Set a TTL for non "remember me" sessions so that the cookie + # is not replayable forever + SESSION_TTL = 3.hours + def validate_session_timestamp + if session[:user_id] && session.key?(:ttl) && session[:ttl] < SESSION_TTL.ago + clear_session_credentials + redirect_to signin_path + end + end + + def persist_session_timestamp + session[:ttl] = Time.now if session[:user_id] && !session[:remember_me] + end + + # Logout form + def clear_session_credentials + session[:user_id] = nil + session[:user_circumstance] = nil + session[:remember_me] = false + session[:using_admin] = nil + session[:admin_name] = nil + end + def render_exception(exception) # In development or the admin interface let Rails handle the exception # with its stack trace templates -- cgit v1.2.3