I have been using the devise gem for authenticating my rails app for some time now, and I just began to wonder how the current_user works
How does devise saves the current_user?
Browser session?
Application session?
Some other parts of the Application?
I am suspecting that the answer is number one Browser session. Reason being that even when an app gets restarted, and you try to access the app again from a browser that has been used to sign in already, it automatically signs you in.
My confusion though is this: If it is the browser session, it means that when the browser relaunches ( the session was ended ) current_user should be expired, and the user signed out; but it does not work so.
So, how does the current_user operates? thanks for all contributions.
current_user works by storing id of current user in the application session. Most commonly session is stored in cookies. Whether or not the cookies survive browser restart depends on client's browser settings.
If you have clicked remember_me it stores a signed token unique to user in a permanent cookie and stores it in browser. It is saved in database also.
When current_user is called again , rails checks if the permanent cookie exists, if so compares it with the one in database. If they are the same , you are logged in as that user.
Related
We are experiencing a bizarre, very rarely occurring bug where a user will be logged into another user's account.
We are on Rails 4.2. We use authlogic for authentication and dalli as our memcached client. Use memcache as the session store.
I haven't been able to figure out what is causing the issue, but the worst part is that even if I did have a hypothesis I wouldn't know how to confirm if it worked or not.
I would like to find some way to log if a user has been given the wrong session, both to help debug the problem and to determine if a potential fix works.
I'm just not sure if it's possible. If the user's cookie has the wrong session ID, how can I possibly figure that out?
Try going back to signed, encrypted cookie session store. Use memcached for frequently accessed items, like the user record. Load the user model from memcached instead of the database.
If you really want to log session hijacking, then log the user's IP address. If the IP address suddenly changes, as if they were logged in one place, then all of a sudden are making requests from another place, then maybe another user hijacked their session cookie?
http://guides.rubyonrails.org/v5.0/security.html#session-hijacking
Be aware that using TOR would show that pattern, as it generates a new route every ten minutes, but doesn't mean the session was stolen or mixed up.
If you are not using signed or encrypted cookies, then it allows Javascript or malicious ads to steal the session id, and send it back to the attacker's server.
It could also be your session ids are not secure or random enough. Maybe a new session id overwrites another session id in memcached? Since you are using a different session store, maybe you customized the session identifier?
I am using Devise gem to handle login/logout in my website. In client i use AngularJS cache is DSCacheFactory.
I have an issue about browser cache or angularJS cache. It is cache still stores old value when session ended.
Example:
login user A
logout user A
login user B
website shows user A.
I expect that after user B login website shows user B
The Angular DSCacheFactory just clears browser cache when they expired.
How to i can clear DSCacheFactory user A after logging in user B (session ends).
I know that post is old, but for future reference if someone need solution to described problem.
You have to check if user is currently signed in with some account and on new sign in attempt just invalidate previous session.
If you override Devise::SessionsController and Create action with that code you should notice expected result. It works correctly with angular devise library
https://github.com/cloudspace/angular_devise
def create
if user_signed_in? && params[:user].present?
sign_out(current_user)
end
super
end
I am using ActiveDirectoryMembershipProvider in my web app. I authenticate users with their domain credentials like so
if (Membership.ValidateUser(m.Username, m.Password))
FormsAuthentication.SetAuthCookie(m.Username, true);
This works well.
But even when the user's password is changed in active directory, the user stays logged in to the web app?
How can I ensure the user does not stay logged in to the web app if their domain password changes, or their account is disabled etc?
The answer is to periodically (every 30 minutes or so) check User.IsApproved and User.LastPasswordChangedDate to make sure the users credentials are still valid.
To do this you need to manually create the FormsAuthenticationTicket and cookie, rather than using FormsAuthentication.SetAuthCookie.
Put the date you validated the user inside UserData and compare this against LastPasswordChangedDate.
I've implemented this and it works perfectly.
More information here
Check if Active Directory password is different from cookie
I'm not 100% certain, but it sounds like you're unhappy that the user's auth ticket continues to work even though their password changes / account expires.
Once a user has logged in and has a authentication ticket (cookie), the user is not challenged for authentication again until until the ticket expires (set in the web.config file). Here are 2 suggestions for dealing with this problem:
Wait for the auth ticket (cookie) to expire. Upon the next login, the user will
be required to use their new password. Variations of this solution include using session-only cookies so that the user must always login when the browser is closed (recommended for AD authentication).
Write an Http Module that looks for a list of recently updated users and inspects the auth ticket early in the HTTP pipeline. If an auth ticket comes through and matches the list of updated users, you exprire the user's cookie and re-direct them to the login page. Here's a similar question that would help get you started:
How can I force a logout of all users on a web site
I've got a Rails 3.0.9 application using Devise 1.4.9. I'm having a bit of a problem with the login screens. I think I understand the problem as I've previously fixed a similar issue in a C application. But this time I'm just using devise so it is harder to just fix the source code ...
The basic pattern is I log out of the application, which takes me to a URL such as this: http://10.0.0.25:3000/devise/users/sign_in
I then go home and come back to work the next day, with the above address still open in the browser. I type in the password, but I just get a message saying my session has expired, and I have to re-enter the password.
Making an educated guess, when the user is shown the sign_in page, devise creates a new session which is not currently logged in. When the user submits the page, devise checks the session exists, and then checks the credentials. For security reasons, the credentials will not work for an expired (or unknown) session.
The fix in the C application was to allow a very long timeout for sessions that had never been logged in. Once a session is logged in, it does need to be logged out after an inactivity delay that is relatively short, so just changing config.timeout_in wouldn't be enough.
EDIT: I've noticed by messing around with the timeout set down to 1 minute that the not-logged-in session timeout does not change to one minute (in fact I haven't really noticed whether it has changed at all...) So there must be something else that does this.
Also I realised when a session is not logged in, there is no time stored within the session cookie, so I don't even know exactly how the server determines the session age (I don't have a server-side sessions table).
I have given the following command in my environment.rb
ActionController::CgiRequest::DEFAULT_SESSION_OPTIONS[:session_key] = 'sessionname'
I want my application to expire to some dynamic value which i get from user.
Once the session time which user gives me lapses, i want to remove all the cookies.
I could expire all cookies other than the one above i.e sessionname
This holds the session id and this is the main cookie i want to expire.
Could some one suggest a solution?
it's not good idea to expire session key as it will disrupt users from working with your application
i'd suggest you to have a separate permanent_session_id in cookies which you generate manually upon login and store with expiration time. then use that cookie to log users in if session does not exist.
such approach will allow users to stay logged in while using application and be logged out automatically if permanent_cookie_id is expired after restarting session.