Rails 4：会话到期？ [英] Rails 4: Session Expiry?

问题描述

我刚刚从Rails 3.2切换到Rails 4.我试图确保我在安全问题上尽可能高速，我关心的会话现在。看起来Rails 4已经远离了支持真正任何基于cookie的会话，但它似乎是不可能阻止基于cookie的会话永远活着。我一直在阅读几篇文章，但这是最官方的： http://guides.rubyonrails.org/ security.html＃session-expiry 。请注意他们如何指出这是一个基于cookie的会话的问题，然后他们为基于数据库的会话（现在已弃用，显然）修复。

我真的很困惑。我希望能够防止攻击者获得一个Cookie，让他能够永久访问我的受登录保护的网站。显然，我可以设置：expire_after在initializers / session_store.rb，但除非我错了，只是设置cookie的客户端的过期，并容易被攻击者改变，所以会话可以永远活着。当然，我可以通过强制SSL，使用安全的cookie和强制只有HTTP，但这将永远不会是一个完整的防御，直到我可以强制会话过期。

如何解决这个问题，当Rails不赞成唯一的方式有服务器端会话？

我知道活动记录会话已被移动到一个gem，仍然可用，但事实仍然是，它已被弃用。

解决方案

Rails具有篡改功能，可以在不引入更多依赖关系的情况下，证明会话cookie。为了防止会话哈希篡改，从具有服务器端秘密的会话计算摘要，并将其插入到cookie的结尾。只要确保你有一个长的秘密。如果您要定期重置所有用户会话，请更改您的密钥。

要回答您的问题，如果您想为会话数据添加额外的超时：

  session [：user_id] = user.id 
 session [：expires_at] = Time.current + 24。小时
  

然后，当验证用户时，执行：

  if session [：expires_at]< Time.current 
＃退出用户
 end 
  

希望有帮助。 / p>

I just made the switch from Rails 3.2 to Rails 4. I'm trying to make sure I'm as up-to-speed as possible on security issues, and I'm concerned about sessions right now. It looks like Rails 4 has moved away from supporting really anything EXCEPT cookie-based sessions, but it sounds like it's not possible to prevent cookie-based sessions from living forever. I've been reading several articles, but this one is the most official: http://guides.rubyonrails.org/security.html#session-expiry . Notice how they point out that this is an issue for cookie-based sessions, then they give a fix for it for database-based sessions (which are now deprecated, apparently).

I'm really confused. I want to be able to prevent an attacker from getting a cookie that gives him permanent access to my login-protected site. Obviously I can set :expire_after in initializers/session_store.rb, but unless I'm wrong that simply sets the expiration of the cookie which is client-side and easily altered by an attacker so the session can live forever. Of course I can make things better by forcing SSL, using secure cookies, and forcing HTTP only, but this will never be a complete defence until I can enforce session expiry.

How can I solve this problem when Rails is deprecating the only ways to have server-side sessions?

I know active record sessions has been moved into a gem and is still available, but the fact remains that it has been deprecated. A solution should be possible without introducing more dependencies, or at the very least without using deprecated features.

解决方案

Rails has "tamper-proof" session cookies. To prevent session hash tampering, a digest is calculated from the session with a server-side secret and inserted into the end of the cookie. Just make sure you have a long secret. If you want to periodically reset all user sessions change your secret.

To answer your question, if you want to add an extra time-out to the session data you could do:

session[:user_id] = user.id
session[:expires_at] = Time.current + 24.hours

Then, when authenticating users, do:

if session[:expires_at] < Time.current
  # sign out user
end

Hope that helps.

这篇关于Rails 4：会话到期？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！