如何防止Rails用户意外地认证为错误的用户？ [英] How do I prevent Rails users from accidentally authenticating as the wrong user?

问题描述

具体来说，我写了一个Rails应用程序，其中我使用默认（在Rails 2.3.5） CookieStore 会话存储，我发现了一个奇怪的问题

Specifically, I have written a Rails app in which I'm using the default (in Rails 2.3.5) CookieStore session store and I've spotted an odd problem in development.

我和一些其他人已经使用了这个网站了几个星期，我们每个都有一个基于用户名和密码的登录（每个用户注册自己和我把（salted和hashed）数据存储在数据库中）。我将用户ID存储在Rails session 对象中（因此，在浏览器和服务器之间来回传递的cookie中）。

Myself and a few others had been using the site for a few weeks and we each had a login based on a username and password (each user registered themselves and I stored the (salted and hashed) data in the database). I was storing the user ID in the Rails session object (and, therefore, in the cookie that is passed back and forth between browser and server).

这里有一个重要的一点：由于这是一个内部网站，我将cookie设置为活动长达2周，以避免用户始终登录。

One important point here: since this is an intranet site, I set the cookies to stay alive for up to 2 weeks to avoid users having to log in all the time.

今天我重置数据库，擦除所有用户记录（和所有其他数据，故意）。有几个用户开始重新注册自己，然后一个用户发现他们第一次进入该网站，因为擦除他们自动登录为不同的用户！

Today I reset the database, wiping all user records (and all other data, intentionally). A few users started registering themselves again and then one user found that the first time they went to the site since the wipe they were automatically logged-in as a different user!

我想我可以看到为什么会发生这种情况：从用户的浏览器传递到服务器的用户ID现在匹配我的数据库中的不同的用户记录。我最初的想法是哦，亲爱的，我不期待！

I think I can see why this happened: the user ID passed from that user's browser to the server now matched a different user-record in my database. My initial thought was "oh dear, I wasn't expecting that!" but the more I thought about it the more I realised this was probably expected behaviour.

我意识到我可以改变我的Rails应用程序给用户 ActiveRecordStore 但在我之前，我想确保我明白这里发生了什么。具体来说，使用 CookieStore 会话和让会话在一段时间内保持活动的组合真的创造了这样一个巨大的安全漏洞吗？还是我错过了什么？

I realise I can change my Rails app to user ActiveRecordStore but before I did that I wanted to make sure I understand what's going on here. Specifically, does the combination of using CookieStore sessions and having the sessions stay alive for some time really create such a gaping security hole? Or am I missing something? Should the session_id be providing a little more security here?

推荐答案

session_id 最简单的解决方案，你在这里的问题将是改变cookie的名称，当您重置数据库。 Cookie名称应该在config / initializers / session_store.rb

The simplest solution to the problem you had here would be to have changed the cookie name when you reset the database. The cookie name should be in config/initializers/session_store.rb

ActionController::Base.session = {
  :key         => '_your_app_session_v2',

您也可以更改密码，但如果用户可能会生成错误请使用旧Cookie请求网站。

You could also change the secret, but that may generate errors for your users if they request the site with an old cookie.

这篇关于如何防止Rails用户意外地认证为错误的用户？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！