Ruby on Rails
Friday, April 5, 2019
I decided to hand-roll the authentication for my rails app and wonder what are some gotchas I should know about? I have read the rails security guide/owasp and skimmed through the Sorcery codebase. I will be using the builtin has_secure_password and has_secure_token
I am aware of the session fixation attacks, so in order to prevent them, I reset the session every time user logs in. Also, password reset tokens have very short expiry time and can be used only once (tokens aren't hashed though, see: https://news.ycombinator.com/item?id=5033266). I have also read about timing attacks, but not sure whether it is a material thing to worry about (i.e. leaking info about the system)
Assume all usual suspects are covered: TLS, HSTS, strict CSP, CSRF tokens, samesite cookies (lax) with "__Host-" prefix + secure/httponly flag, security headers, encrypted DB at rest, password hashing with bcrypt with high number of iterations.
P.S. I know that there are several gems that provide auth functionality, but i still want to roll it myself.
You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group.
To unsubscribe from this group and stop receiving emails from it, send an email to rubyonrails-talk+unsubscribe@googlegroups.com.
To post to this group, send email to rubyonrails-talk@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/rubyonrails-talk/85710628-c592-44cb-a251-1d919f9ddee7%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment