I’ve been Googling this question for the past few hours, and I think it’s time I simply ask this question myself.
I just made the switch from Rails 3.2 to Rails 4. I’m trying to make sure I’m as up-to-speed as possible on security issues, and I’m concerned about sessions right now. It looks like Rails 4 has moved away
from supporting really anything EXCEPT cookie-based sessions, but it sounds like it’s not possible to prevent cookie-based sessions from living forever. I’ve been reading several articles, but this one is the most official: http://guides.rubyonrails.org/security.html#session-expiry
. Notice how they point out that this is an issue for cookie-based sessions, then they give a fix for it for database-based sessions (which
are now deprecated, apparently).
I’m really confused. I want to be able to prevent an attacker from getting a cookie that gives him permanent access to my login-protected site. Obviously I can set :expire_after in initializers/session_store.rb, but unless I’m wrong that simply sets the
expiration of the cookie which is client-side and easily altered by an attacker so the session can live forever. Of course I can make things better by forcing SSL, using secure cookies, and forcing HTTP only, but this will never be a complete defense until I can enforce session expiry.
How can I solve this problem when Rails is deprecating the only ways to have server-side sessions? Advice would certainly be appreciated!
(P.S. I know active record sessions has been moved into a gem and is still available, but the fact remains that it has been deprecated. A solution should be possible without introducing more dependencies, or at
the very least without using deprecated features. I just know I’m missing something)