From 771a5621ff972c5ca7d8b4b9cc1dff50079d60ba Mon Sep 17 00:00:00 2001
From: Jason Lee <huacnlee@gmail.com>
Date: Wed, 26 Oct 2016 18:03:15 +0800
Subject: [PATCH] Give warning when application use CookieStore

---
 CHANGELOG.md             | 14 ++++++++++++++
 README.md                | 14 ++++++++++++++
 lib/rucaptcha/engine.rb  |  9 +++++++++
 lib/rucaptcha/version.rb |  2 +-
 4 files changed, 38 insertions(+), 1 deletion(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 6bfc9f2..cd927a4 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,3 +1,17 @@
+1.0.2
+
+- Revert 1.0.1 changes, still store code in Session, `Rails.cache` not a not place in difference environments.
+  for exampe: Not enable cache, File cache will have bug.
+- Give a warning when user use CookieStore.
+
+1.0.1
+-----
+
+## Security Notes
+
+- Fix Session replay secure issue that when Rails application use CookieStore.
+
+
 1.0.0
 -----
 
diff --git a/README.md b/README.md
index 1df6a8b..2e6db2c 100644
--- a/README.md
+++ b/README.md
@@ -45,6 +45,20 @@ brew install imagemagick ghostscript
 
 ## Usage
 
+**Security Notice!**
+
+You need change your application Session store from `CookieStore` (Rails default) to backend store location.
+
+- [:active_session_store](https://github.com/rails/activerecord-session_store)
+- [:memcached_store](http://api.rubyonrails.org/classes/ActionDispatch/Session/MemCacheStore.html)
+- [:redis_session_store](https://github.com/roidrage/redis-session-store)
+
+config/initializers/session_store.rb
+
+```rb
+Rails.application.config.session_store :redis_session_store, { ... }
+```
+
 Put rucaptcha in your `Gemfile`:
 
 ```
diff --git a/lib/rucaptcha/engine.rb b/lib/rucaptcha/engine.rb
index 2e8d2af..2fc4a14 100644
--- a/lib/rucaptcha/engine.rb
+++ b/lib/rucaptcha/engine.rb
@@ -7,6 +7,15 @@ module RuCaptcha
       if RuCaptcha.config.cache_limit >= 1
         RuCaptcha::Captcha.send(:prepend, RuCaptcha::Cache)
       end
+
+      if Rails.application.config.session_store.name.match(/CookieStore/)
+        puts %(
+[RuCaptcha] Your application session has use #{Rails.application.config.session_store}
+this may have Session [Replay Attacks] secure issue in RuCaptcha case.
+We suggest you change it to backend [:active_record_store, :redis_session_store]
+http://guides.rubyonrails.org/security.html#replay-attacks-for-cookiestore-sessions)
+        puts ""
+      end
     end
   end
 end
diff --git a/lib/rucaptcha/version.rb b/lib/rucaptcha/version.rb
index 12a51a3..31683d2 100644
--- a/lib/rucaptcha/version.rb
+++ b/lib/rucaptcha/version.rb
@@ -1,3 +1,3 @@
 module RuCaptcha
-  VERSION = '1.0.0'
+  VERSION = '1.0.2'
 end