3

I upgraded to Rails 4 recently and switched to encrypted cookies as session storage. Unfortunately this seems to mean that replay attacks are possible, i.e. if a user logs out, any cookies are not invalidated and can be used to authenticate without user/pass. As far as I can tell this is a flaw in how encrypted cookies work (if i'm wrong please enlighten me!), so my question is: is there an accepted solution to preventing replay attacks using encrypted cookies?

Jsdodgers
  • 5,253
  • 2
  • 20
  • 36
Slicedpan
  • 4,995
  • 2
  • 18
  • 33
  • Here's a similar approach for users of ```devise``` http://stackoverflow.com/questions/7359730/devise-invalidate-user-session-if-the-same-user-logs-in-from-a-different-brows – ChrHansen Sep 10 '13 at 03:56
  • *if a user logs out, any cookies are not invalidated* : so, you should invalidate the session cookie and that will fix things – Zabba Dec 14 '13 at 07:42

1 Answers1

0

After some research and some tinkering, I have come up with the following solution.

  • When user logs in, create a random secret (random in the sense that subsequent secrets should have a low probability of matching)
  • Store that secret in the session, i.e. in the cookie, as well as server side, I'm using the Dalli gem to provide memcached functionality
  • On a request for a page that requires authentication, read the secret from the cookie, and make sure it exists server side
  • On logout, delete secret from cache, so any subsequent requests using the same cookies will be invalidated

As long as the cookies cannot be tampered with, then this should be secure. Any thoughts/comments are welcome

Slicedpan
  • 4,995
  • 2
  • 18
  • 33
  • Why not just make sure the session cookie is deleted on log out? You are doing essentially the same thing when you are deleting this "random secret" on logout. – Zabba Dec 14 '13 at 07:41
  • Deleting the cookie in the client's browser does not really help. The issue here is that if someone does get hold of a valid session cookie, that session can last even after the legitimate user logs out of their account. Telling the client to delete the cookie does not prevent this from happening, and you are relying on the browser to honour the request. My method ensures that a legit user can always invalidate their session, meaning any existing session cookies (which may have been disclosed) will no longer be valid. – Slicedpan Dec 16 '13 at 09:19
  • Ah, right. So the server must invalidate the session on log out then. – Zabba Dec 16 '13 at 17:58