diff options
| author | Jens Wille <jens.wille@uni-koeln.de> | 2009-09-15 18:25:29 +0200 |
|---|---|---|
| committer | Jens Wille <jens.wille@uni-koeln.de> | 2009-09-15 18:30:14 +0200 |
| commit | 0ab2e5f45b4603de04f36b48fd423920c6083fa4 (patch) | |
| tree | 93a559d7caa676cd6230be668424dd1acaddb8a2 /railties/guides/source/security.textile | |
| parent | 4e45fa05652ba64bd05824ff84b68732ff657306 (diff) | |
| download | rails-0ab2e5f45b4603de04f36b48fd423920c6083fa4.tar.gz rails-0ab2e5f45b4603de04f36b48fd423920c6083fa4.tar.bz2 rails-0ab2e5f45b4603de04f36b48fd423920c6083fa4.zip | |
Simplify Session.sweep example?
Diffstat (limited to 'railties/guides/source/security.textile')
| -rw-r--r-- | railties/guides/source/security.textile | 22 |
1 files changed, 10 insertions, 12 deletions
diff --git a/railties/guides/source/security.textile b/railties/guides/source/security.textile index 5acb0c599d..ecf68b56f9 100644 --- a/railties/guides/source/security.textile +++ b/railties/guides/source/security.textile @@ -149,26 +149,24 @@ h4. Session Expiry -- _Sessions that never expire extend the time-frame for attacks such as cross-site reference forgery (CSRF), session hijacking and session fixation._ -One possibility is to set the expiry time-stamp of the cookie with the session id. However the client can edit cookies that are stored in the web browser so expiring sessions on the server is safer. Here is an example of how to _(highlight)expire sessions in a database table_. Call +Session.sweep("20m")+ to expire sessions that were used longer than 20 minutes ago. +One possibility is to set the expiry time-stamp of the cookie with the session id. However the client can edit cookies that are stored in the web browser so expiring sessions on the server is safer. Here is an example of how to _(highlight)expire sessions in a database table_. Call +Session.sweep("20 minutes")+ to expire sessions that were used longer than 20 minutes ago. <ruby> class Session < ActiveRecord::Base - def self.sweep(time_ago = nil) -
time = case time_ago -
when /^(\d+)m$/ then Time.now - $1.to_i.minute -
when /^(\d+)h$/ then Time.now - $1.to_i.hour -
when /^(\d+)d$/ then Time.now - $1.to_i.day -
else Time.now - 1.hour -
end -
self.delete_all "updated_at < '#{time.to_s(:db)}'" -
end -
end + def self.sweep(time = 1.hour) + time = time.split.inject { |count, unit| + count.to_i.send(unit) + } if time.is_a?(String) + + delete_all "updated_at < '#{time.ago.to_s(:db)}'" + end +end </ruby> The section about session fixation introduced the problem of maintained sessions. An attacker maintaining a session every five minutes can keep the session alive forever, although you are expiring sessions. A simple solution for this would be to add a created_at column to the sessions table. Now you can delete sessions that were created a long time ago. Use this line in the sweep method above: <ruby> -self.delete_all "updated_at < '#{time.to_s(:db)}' OR +delete_all "updated_at < '#{time.to_s(:db)}' OR created_at < '#{2.days.ago.to_s(:db)}'" </ruby> |