问题
I upgraded to Rails 4 recently and switched to encrypted cookies as session storage. Unfortunately this seems to mean that replay attacks are possible, i.e. if a user logs out, any cookies are not invalidated and can be used to authenticate without user/pass. As far as I can tell this is a flaw in how encrypted cookies work (if i'm wrong please enlighten me!), so my question is: is there an accepted solution to preventing replay attacks using encrypted cookies?
回答1:
After some research and some tinkering, I have come up with the following solution.
- When user logs in, create a random secret (random in the sense that subsequent secrets should have a low probability of matching)
- Store that secret in the session, i.e. in the cookie, as well as server side, I'm using the Dalli gem to provide memcached functionality
- On a request for a page that requires authentication, read the secret from the cookie, and make sure it exists server side
- On logout, delete secret from cache, so any subsequent requests using the same cookies will be invalidated
As long as the cookies cannot be tampered with, then this should be secure. Any thoughts/comments are welcome
来源:https://stackoverflow.com/questions/18337152/rails-4-encrypted-cookie-replay-attack