authlogic 6.4.0 → 6.4.1
Sign up to get free protection for your applications and to get access to all the features.
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: e65309a22f2adc25c9c61f10910d6db41fe2c3f6b9d8037977bdfa094b90dd53
|
|
4
|
+
data.tar.gz: 2e5bb549974be424ad83ae20de60775bcb1b66c207031919caf978de7e5801ff
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 1198b8ff9bf45e98e8748365ba67112f249c738952b84a39a32b835353481a37b3b006106ff31031d5a78f2952fffa746c8764639f50ebc3cc0ae99f84f74b98
|
|
7
|
+
data.tar.gz: 9ab8911d8838f3ddf6b8b011d498b08941caba5e20d2c62c1d2ec9c8b17f446c68f7585db88bd0c3497ae26cd11cd6f565eb9da3ae27bd3faee5de7815c62fd6
|
|
@@ -8,6 +8,7 @@ module Authlogic
|
|
|
8
8
|
class AbstractAdapter
|
|
9
9
|
E_COOKIE_DOMAIN_ADAPTER = "The cookie_domain method has not been " \
|
|
10
10
|
"implemented by the controller adapter"
|
|
11
|
+
ENV_SESSION_OPTIONS = "rack.session.options"
|
|
11
12
|
|
|
12
13
|
attr_accessor :controller
|
|
13
14
|
|
|
@@ -44,6 +45,26 @@ module Authlogic
|
|
|
44
45
|
request.content_type
|
|
45
46
|
end
|
|
46
47
|
|
|
48
|
+
# Inform Rack that we would like a new session ID to be assigned. Changes
|
|
49
|
+
# the ID, but not the contents of the session.
|
|
50
|
+
#
|
|
51
|
+
# The `:renew` option is read by `rack/session/abstract/id.rb`.
|
|
52
|
+
#
|
|
53
|
+
# This is how Devise (via warden) implements defense against Session
|
|
54
|
+
# Fixation. Our implementation is copied directly from the warden gem
|
|
55
|
+
# (set_user in warden/proxy.rb)
|
|
56
|
+
def renew_session_id
|
|
57
|
+
env = request.env
|
|
58
|
+
options = env[ENV_SESSION_OPTIONS]
|
|
59
|
+
if options
|
|
60
|
+
if options.frozen?
|
|
61
|
+
env[ENV_SESSION_OPTIONS] = options.merge(renew: true).freeze
|
|
62
|
+
else
|
|
63
|
+
options[:renew] = true
|
|
64
|
+
end
|
|
65
|
+
end
|
|
66
|
+
end
|
|
67
|
+
|
|
47
68
|
def session
|
|
48
69
|
controller.session
|
|
49
70
|
end
|
|
@@ -424,6 +424,7 @@ module Authlogic
|
|
|
424
424
|
after_save :reset_perishable_token!
|
|
425
425
|
after_save :save_cookie, if: :cookie_enabled?
|
|
426
426
|
after_save :update_session
|
|
427
|
+
after_create :renew_session_id
|
|
427
428
|
|
|
428
429
|
after_destroy :destroy_cookie, if: :cookie_enabled?
|
|
429
430
|
after_destroy :update_session
|
|
@@ -976,6 +977,16 @@ module Authlogic
|
|
|
976
977
|
end
|
|
977
978
|
alias secure= secure
|
|
978
979
|
|
|
980
|
+
# Should the Rack session ID be reset after authentication, to protect
|
|
981
|
+
# against Session Fixation attacks?
|
|
982
|
+
#
|
|
983
|
+
# * <tt>Default:</tt> true
|
|
984
|
+
# * <tt>Accepts:</tt> Boolean
|
|
985
|
+
def session_fixation_defense(value = nil)
|
|
986
|
+
rw_config(:session_fixation_defense, value, true)
|
|
987
|
+
end
|
|
988
|
+
alias session_fixation_defense= session_fixation_defense
|
|
989
|
+
|
|
979
990
|
# Should the cookie be signed? If the controller adapter supports it, this is a
|
|
980
991
|
# measure against cookie tampering.
|
|
981
992
|
def sign_cookie(value = nil)
|
|
@@ -1681,6 +1692,13 @@ module Authlogic
|
|
|
1681
1692
|
define_password_field_methods
|
|
1682
1693
|
end
|
|
1683
1694
|
|
|
1695
|
+
# Assign a new controller-session ID, to defend against Session Fixation.
|
|
1696
|
+
# https://guides.rubyonrails.org/v6.0/security.html#session-fixation
|
|
1697
|
+
def renew_session_id
|
|
1698
|
+
return unless self.class.session_fixation_defense
|
|
1699
|
+
controller.renew_session_id
|
|
1700
|
+
end
|
|
1701
|
+
|
|
1684
1702
|
def define_login_field_methods
|
|
1685
1703
|
return unless login_field
|
|
1686
1704
|
self.class.send(:attr_writer, login_field) unless respond_to?("#{login_field}=")
|
|
@@ -9,6 +9,12 @@ module Authlogic
|
|
|
9
9
|
self.controller = controller
|
|
10
10
|
end
|
|
11
11
|
|
|
12
|
+
def env
|
|
13
|
+
@env ||= {
|
|
14
|
+
ControllerAdapters::AbstractAdapter::ENV_SESSION_OPTIONS => {}
|
|
15
|
+
}
|
|
16
|
+
end
|
|
17
|
+
|
|
12
18
|
def format
|
|
13
19
|
controller.request_content_type if controller.respond_to? :request_content_type
|
|
14
20
|
end
|
data/lib/authlogic/version.rb
CHANGED
metadata
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: authlogic
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 6.4.
|
|
4
|
+
version: 6.4.1
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Ben Johnson
|
|
@@ -10,7 +10,7 @@ authors:
|
|
|
10
10
|
autorequire:
|
|
11
11
|
bindir: bin
|
|
12
12
|
cert_chain: []
|
|
13
|
-
date:
|
|
13
|
+
date: 2021-02-22 00:00:00.000000000 Z
|
|
14
14
|
dependencies:
|
|
15
15
|
- !ruby/object:Gem::Dependency
|
|
16
16
|
name: activemodel
|