activerecord-session_store icon indicating copy to clipboard operation
activerecord-session_store copied to clipboard
verified publisher icon rails

Allow use of secure session only

Open tmandke opened this issue 2 years ago • 1 comments

This change allows the disabling of fallback used to access old, insecure sessions, and rewrite them as secure sessions. The fallback was originally added as part of the mitigation of CVE-2019-25025 several years back.

Motivation

This fallback mechanism was added 4 years ago. In many cases, or at least in our case, the expiry on old, insecure, sessions has long since passed. We'd like the ability to disable the fallback entirely as it will never be a valid path for us.

tmandke avatar Mar 28 '23 16:03 tmandke

👋 Hello! Anything we can do to help this one along? We'd love to get back on the mainline version.

Thank you.

stevenharman avatar Nov 03 '23 15:11 stevenharman

😄 bump! Any hopes of getting this merged?

stevenharman avatar Mar 21 '25 20:03 stevenharman

@byroot I had to further update the patch for ActionDispatch::Assertions::RoutingAssertions::WithIntegrationRouting for these tests to pass. I worry that we're chasing a moving target - as the underlying test infra in Rails improves/changes, we have to constantly patch our test setup to be compatible. Is there a better way to do this?

stevenharman avatar Apr 03 '25 20:04 stevenharman

Is there a better way to do this?

Not that I know off. I'm also quite surprised such complexity is needed. I think it might be because gems like this one are expected to have a test/dummy app?

byroot avatar Apr 07 '25 07:04 byroot