I decided to hand-roll the authentication for my rails app and wonder what are some gotchas I should know about? I have read the rails security guide/owasp and skimmed through the Sorcery codebase. I will be using the builtin has_secure_password and has_secure_token
I am aware of the session fixation attacks, so in order to prevent them, I reset the session every time user logs in. Also, password reset tokens have very short expiry time and can be used only once (tokens aren’t hashed though, see: https://news.ycombinator.com/item?id=5033266). I have also read about timing attacks, but not sure whether it is a material thing to worry about (i.e. leaking info about the system)
Assume all usual suspects are covered: TLS, HSTS, strict CSP, CSRF tokens, samesite cookies (lax) with “__Host-” prefix + secure/httponly flag, security headers, encrypted DB at rest, password hashing with bcrypt with high number of iterations.
P.S. I know that there are several gems that provide auth functionality, but i still want to roll it myself.