Skip to content
This repository has been archived by the owner on Mar 8, 2021. It is now read-only.

Friend should rotate session identifiers upon privilege escalation events #155

Open
RutledgePaulV opened this issue Jun 22, 2017 · 1 comment
Open

Friend should rotate session identifiers upon privilege escalation events #155

RutledgePaulV opened this issue Jun 22, 2017 · 1 comment

Comments

@RutledgePaulV
Copy link

Hi!

I noticed that friend doesn't reissue session ids on successful authentication (or role changes) but the security world generally believes this to be good practice since it mitigates a number of other risks.

https://www.owasp.org/index.php/Session_Management_Cheat_Sheet#Renew_the_Session_ID_After_Any_Privilege_Level_Change
@cemerick
Copy link
Owner

Good suggestion. Should be easy, looks like Ring now supports easily regenerating session cookie IDs (via :recreate session metadata).

RutledgePaulV pushed a commit to RutledgePaulV/friend that referenced this issue Jul 25, 2017
issue new session on new auth cemerick#155
a6b480a
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@cemerick @RutledgePaulV