Reset session on log(in|out) #58
Comments
|
Do the maintainers agree? Then I'll submit a PR. |
|
@wvengen only 4 years late with my reply ;) As you may have seen this gem is deprecated. Do you still use it? |
|
Hah, thanks for replying :) Yes, we are still using it, moving to a different admin framework was a big undertaking (our efforts in this direction are stalled), and we kind of decided to keep using this gem. Our expectations of upstream support have dropped to basically zero, indeed. |
|
We could see if we can transfer ownership or something, though it might actually be simpler to just vendor the gem in your project(s.) I have one project left that uses this and I'm thinking of doing that too. |
|
We are using it in two projects (core only), so we'll maintain core anyway, to the extent necessary for ourselves. |
|
@wvengen what's your rubygems handle? You should also be getting the commit bit soon. |
|
Thank you! :) https://rubygems.org/profiles/wvengen |
In #57 (comment) it came up that we should probably reset the session after logout and after login.
https://www.owasp.org/index.php/Broken_Authentication_and_Session_Management
https://github.com/OWASP/owasp-mstg/blob/master/Document/0x04e-Testing-Authentication-and-Session-Management.md#session-management-best-practices
https://github.com/OWASP/owasp-mstg/blob/master/Document/0x04e-Testing-Authentication-and-Session-Management.md#user-logout-and-session-timeouts
https://wblinks.com/notes/secure-session-management-tips/
I would come to the conclusion that both are desirable.
The text was updated successfully, but these errors were encountered: