From ba7c1764be87f272759471bde01b92dcc147e952 Mon Sep 17 00:00:00 2001 From: Sytse Sijbrandij Date: Fri, 11 Oct 2013 17:54:38 +0200 Subject: [PATCH] The cookie store is vulnerable to session replay attacks. --- CHANGELOG | 1 + config/initializers/session_store.rb | 16 +++++++--------- 2 files changed, 8 insertions(+), 9 deletions(-) diff --git a/CHANGELOG b/CHANGELOG index 0d57728367c..1843311d763 100644 --- a/CHANGELOG +++ b/CHANGELOG @@ -14,6 +14,7 @@ v 6.2.0 - Extended User API to expose admin and can_create_group for user creation/updating (Boyan Tabakov) - API: Remove group - Avatar upload on profile page with a maximum of 200KB (Steven Thonus) + - Store the sessions in Redis instead of the cookie store v 6.1.0 - Project specific IDs for issues, mr, milestones diff --git a/config/initializers/session_store.rb b/config/initializers/session_store.rb index 52a099c3e16..501cad4a838 100644 --- a/config/initializers/session_store.rb +++ b/config/initializers/session_store.rb @@ -1,11 +1,9 @@ # Be sure to restart your server when you modify this file. -Gitlab::Application.config.session_store :cookie_store, key: '_gitlab_session', - secure: Gitlab::Application.config.force_ssl, - httponly: true, - path: (Rails.application.config.relative_url_root.nil?) ? '/' : Rails.application.config.relative_url_root - -# Use the database for sessions instead of the cookie-based default, -# which shouldn't be used to store highly confidential information -# (create the session table with "rails generate session_migration") -# Gitlab::Application.config.session_store :active_record_store +Gitlab::Application.config.session_store( + :redis_store, # Using the cookie_store would enable session replay attacks. + key: '_gitlab_session', + secure: Gitlab::Application.config.force_ssl, + httponly: true, + path: (Rails.application.config.relative_url_root.nil?) ? '/' : Rails.application.config.relative_url_root +)