6da135a493
Up until now, we have used Devise's Rememberable mechanism to re-log users after the end of their browser sessions. This mechanism relies on a signed cookie containing a token. That token was stored on the user's record, meaning it was shared across all logged in browsers, meaning truly revoking a browser's ability to auto-log-in involves revoking the token itself, and revoking access from *all* logged-in browsers. We had a session mechanism that dynamically checks whether a user's session has been disabled, and would log out the user if so. However, this would only clear a session being actively used, and a new one could be respawned with the `remember_user_token` cookie. In practice, this caused two issues: - sessions could be revived after being closed from /auth/edit (security issue) - auto-log-in would be disabled for *all* browsers after logging out from one of them This PR removes the `remember_token` mechanism and treats the `_session_id` cookie/token as a browser-specific `remember_token`, fixing both issues. |
||
---|---|---|
.. | ||
0_post_deployment_migrations.rb | ||
1_hosts.rb | ||
2_whitelist_mode.rb | ||
active_model_serializers.rb | ||
application_controller_renderer.rb | ||
assets.rb | ||
backtrace_silencers.rb | ||
blacklists.rb | ||
cache_buster.rb | ||
chewy.rb | ||
content_security_policy.rb | ||
cookies_serializer.rb | ||
cors.rb | ||
devise.rb | ||
doorkeeper.rb | ||
fast_blank.rb | ||
ffmpeg.rb | ||
filter_parameter_logging.rb | ||
http_client_proxy.rb | ||
httplog.rb | ||
inflections.rb | ||
json_ld.rb | ||
kaminari_config.rb | ||
mail_delivery_job.rb | ||
makara.rb | ||
mime_types.rb | ||
oj.rb | ||
omniauth.rb | ||
open_uri_redirection.rb | ||
paperclip.rb | ||
permissions_policy.rb | ||
preload_link_headers.rb | ||
premailer_rails.rb | ||
rack_attack.rb | ||
rack_attack_logging.rb | ||
redis.rb | ||
session_activations.rb | ||
session_store.rb | ||
sidekiq.rb | ||
simple_form.rb | ||
single_user_mode.rb | ||
statsd.rb | ||
stoplight.rb | ||
strong_migrations.rb | ||
suppress_csrf_warnings.rb | ||
trusted_proxies.rb | ||
twitter_regex.rb | ||
vapid.rb | ||
webauthn.rb | ||
wrap_parameters.rb |