From 72fcd18521d4b65b391310e758d5f8a2cb677950 Mon Sep 17 00:00:00 2001 From: Louise Crow Date: Tue, 18 Nov 2014 16:18:31 +0000 Subject: Add secureheaders Issue some security-related headers by default. --- app/controllers/application_controller.rb | 3 +++ 1 file changed, 3 insertions(+) (limited to 'app/controllers/application_controller.rb') diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb index 4d3f40d40..1ccf7e5db 100644 --- a/app/controllers/application_controller.rb +++ b/app/controllers/application_controller.rb @@ -17,6 +17,9 @@ class ApplicationController < ActionController::Base # assign our own handler method for non-local exceptions rescue_from Exception, :with => :render_exception + # Add some security-related headers (see config/initializers/secure_headers.rb) + ensure_security_headers + # Standard headers, footers and navigation for whole site layout "default" include FastGettext::Translation # make functions like _, n_, N_ etc available) -- cgit v1.2.3 From d76c2e82328ed2a00add7bdfb528ed4393e640b7 Mon Sep 17 00:00:00 2001 From: Louise Crow Date: Fri, 21 Nov 2014 14:54:26 +0000 Subject: Enforce a lifetime on session cookies Problem described in http://seclists.org/fulldisclosure/2013/Sep/145 Pattern taken from https://www.coffeepowered.net/2013/09/26/rails-session-cookies/ --- app/controllers/application_controller.rb | 25 +++++++++++++++++++++++++ 1 file changed, 25 insertions(+) (limited to 'app/controllers/application_controller.rb') diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb index 1ccf7e5db..a06fa7098 100644 --- a/app/controllers/application_controller.rb +++ b/app/controllers/application_controller.rb @@ -30,6 +30,8 @@ class ApplicationController < ActionController::Base before_filter :check_in_post_redirect before_filter :session_remember_me before_filter :set_vary_header + before_filter :validate_session_timestamp + after_filter :persist_session_timestamp def set_vary_header response.headers['Vary'] = 'Cookie' @@ -121,6 +123,29 @@ class ApplicationController < ActionController::Base end end + # Set a TTL for non "remember me" sessions so that the cookie + # is not replayable forever + SESSION_TTL = 3.hours + def validate_session_timestamp + if session[:user_id] && session.key?(:ttl) && session[:ttl] < SESSION_TTL.ago + clear_session_credentials + redirect_to signin_path + end + end + + def persist_session_timestamp + session[:ttl] = Time.now if session[:user_id] && !session[:remember_me] + end + + # Logout form + def clear_session_credentials + session[:user_id] = nil + session[:user_circumstance] = nil + session[:remember_me] = false + session[:using_admin] = nil + session[:admin_name] = nil + end + def render_exception(exception) # In development or the admin interface let Rails handle the exception # with its stack trace templates -- cgit v1.2.3 From 9ddfdfff9366793516bc09289a1da6156dfd12ca Mon Sep 17 00:00:00 2001 From: Gareth Rees Date: Thu, 2 Oct 2014 10:17:07 +0100 Subject: Add global protect_from_forgery MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Grepping the git logs didn’t bring up a good reason for this to be excluded. Seems like it came along after the app was initially created so it never got fully added for fear of regressions. The specs pass for this commit. --- app/controllers/application_controller.rb | 2 ++ 1 file changed, 2 insertions(+) (limited to 'app/controllers/application_controller.rb') diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb index 4d3f40d40..445a13d0c 100644 --- a/app/controllers/application_controller.rb +++ b/app/controllers/application_controller.rb @@ -14,6 +14,8 @@ class ApplicationController < ActionController::Base end class RouteNotFound < StandardError end + protect_from_forgery + # assign our own handler method for non-local exceptions rescue_from Exception, :with => :render_exception -- cgit v1.2.3