The cookie store is vulnerable to session replay attacks.
This commit is contained in:
parent
f81532b5b9
commit
ba7c1764be
|
@ -14,6 +14,7 @@ v 6.2.0
|
|||
- Extended User API to expose admin and can_create_group for user creation/updating (Boyan Tabakov)
|
||||
- API: Remove group
|
||||
- Avatar upload on profile page with a maximum of 200KB (Steven Thonus)
|
||||
- Store the sessions in Redis instead of the cookie store
|
||||
|
||||
v 6.1.0
|
||||
- Project specific IDs for issues, mr, milestones
|
||||
|
|
|
@ -1,11 +1,9 @@
|
|||
# Be sure to restart your server when you modify this file.
|
||||
|
||||
Gitlab::Application.config.session_store :cookie_store, key: '_gitlab_session',
|
||||
secure: Gitlab::Application.config.force_ssl,
|
||||
httponly: true,
|
||||
path: (Rails.application.config.relative_url_root.nil?) ? '/' : Rails.application.config.relative_url_root
|
||||
|
||||
# Use the database for sessions instead of the cookie-based default,
|
||||
# which shouldn't be used to store highly confidential information
|
||||
# (create the session table with "rails generate session_migration")
|
||||
# Gitlab::Application.config.session_store :active_record_store
|
||||
Gitlab::Application.config.session_store(
|
||||
:redis_store, # Using the cookie_store would enable session replay attacks.
|
||||
key: '_gitlab_session',
|
||||
secure: Gitlab::Application.config.force_ssl,
|
||||
httponly: true,
|
||||
path: (Rails.application.config.relative_url_root.nil?) ? '/' : Rails.application.config.relative_url_root
|
||||
)
|
||||
|
|
Loading…
Reference in New Issue