You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
#125 switches to using the new ActionDispatch::Session::AbstractSecureStore but it does not change the key used to store sessions in redis. This means that there is still potentially a timing attack that could be used against looking up a session.
We should use the Rack::Session::SessionId#private_id as the key in redis storage and #public_id in the cookie.
It would seem reasonable to fallback to using the #public_id for sessions that have not yet been converted to use the #private_id for their key.
#125 switches to using the new
ActionDispatch::Session::AbstractSecureStorebut it does not change the key used to store sessions in redis. This means that there is still potentially a timing attack that could be used against looking up a session.We should use the
Rack::Session::SessionId#private_idas the key in redis storage and#public_idin the cookie.It would seem reasonable to fallback to using the
#public_idfor sessions that have not yet been converted to use the#private_idfor their key.rails/activerecord-session_store#151 could be used for inspiration.
I've submitted on a PR for this and tested it out on our app.
The text was updated successfully, but these errors were encountered: