devise-otp icon indicating copy to clipboard operation
devise-otp copied to clipboard

Published 20 hours ago verified publisher icon wmlele

create_with_otp destroys existing session

Open borgand opened this issue 8 years ago • 5 comments

The DeviseOtpAuthenticatable::Hooks::Sessions#create_with_otp method destroys previous data in warden.session when OTP challenge is required. See sessions.rb:23

This conflicts with many important features of Devise and related plugins, such as:

  • return_to functionality is ignored - user is redirected to root URL instead of requested resource when authentication is complete
  • password_expired information is lost in the Devise Security Extensions plugin, meaning that the users are not required to change their passwords, regardless that they are actually expired.
  • probably many other features too, that I did not test yet.

I tried to tweak the code to get around this, but failed as I'm not familiar with the concepts of Devise-OTP.

Can the Devise-OTP functionality be altered so that previous session information is persisted? This seems reasonable, taking into account that OTP most often is used together with another authentication mechanism to form 2FA and that other mechanism can expect session to persist once created.

borgand avatar Oct 25 '16 16:10 borgand

@borgand is this still relevant? what would be the acceptable behaviour?

strzibny avatar Mar 24 '22 09:03 strzibny

Hi! We are migrating away from this gem due to this, so this is so relevant, but probably we complete migration before any fixes.

Two main aspects:

  • UX: any user using either a direct link or working on a page when session express will be redirected to root page, loosing context and needing to navigate again.
  • Security: allowing to continue login with expired password is a potential vulnerability.

Therefore I still suggest this to be fixed.

Acceptable behaviour would be that the session data is persisted during an OTP challenge.

😄

borgand avatar Mar 24 '22 09:03 borgand

Thanks for a quick reply. I'll look into it.

strzibny avatar Mar 24 '22 12:03 strzibny

Btw this commit probably fixed the location at least (but I understand there are other possible issues) https://github.com/wmlele/devise-otp/commit/7c2fbe9a1efd4db52e383d9495b3728f0cdf14b7

strzibny avatar Mar 24 '22 12:03 strzibny

Security: allowing to continue login with expired password is a potential vulnerability.

Do I understand it correctly that this is only due to use of Devise Security Extensions plugin? Like due to logging out this is not compatible?

strzibny avatar Mar 24 '22 12:03 strzibny

@strzibny, I have a solution for this issue in PR #80.

strouptl avatar May 25 '24 23:05 strouptl