kotovalexarian-likes-github
/
rails--rails
mirror of https://github.com/rails/rails.git
1
0
Fork 0
Code Releases Activity

Update security guide section on session expirity [ci skip] 

* Avoid string interpolation in methods describing database access
* `delete_all` no longer takes condition param since Rails 5.1
This commit is contained in:
Toms Mikoss 2020-10-28 12:59:34 +02:00 committed by GitHub
parent 9fb4ce4a15
commit f70ccc2eea
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 2 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
guides/source/security.md
View File

@ -220,7 +220,7 @@ class Session < ApplicationRecord
time = time.split.inject { |count, unit| count.to_i.send(unit) }
end
delete_all "updated_at < '#{time.ago.to_s(:db)}'"
where("updated_at < ?", time.ago.to_s(:db)).delete_all
end
end
```
@ -228,8 +228,7 @@ end
The section about session fixation introduced the problem of maintained sessions. An attacker maintaining a session every five minutes can keep the session alive forever, although you are expiring sessions. A simple solution for this would be to add a `created_at` column to the sessions table. Now you can delete sessions that were created a long time ago. Use this line in the sweep method above:
```ruby
delete_all "updated_at < '#{time.ago.to_s(:db)}' OR
created_at < '#{2.days.ago.to_s(:db)}'"
where("updated_at < ? OR created_at < ?", time.ago.to_s(:db), 2.days.ago.to_s(:db)).delete_all
```
Cross-Site Request Forgery (CSRF)