Give warning when application use CookieStore

CHANGELOG.md

@@ -1,3 +1,17 @@
+1.0.2
+
+- Revert 1.0.1 changes, still store code in Session, `Rails.cache` not a not place in difference environments.
+  for exampe: Not enable cache, File cache will have bug.
+- Give a warning when user use CookieStore.
+
+1.0.1
+-----
+
+## Security Notes
+
+- Fix Session replay secure issue that when Rails application use CookieStore.
+
+
 1.0.0
 -----
 

README.md

@@ -45,6 +45,20 @@ brew install imagemagick ghostscript
 
 ## Usage
 
+**Security Notice!**
+
+You need change your application Session store from `CookieStore` (Rails default) to backend store location.
+
+- [:active_session_store](https://github.com/rails/activerecord-session_store)
+- [:memcached_store](http://api.rubyonrails.org/classes/ActionDispatch/Session/MemCacheStore.html)
+- [:redis_session_store](https://github.com/roidrage/redis-session-store)
+
+config/initializers/session_store.rb
+
+```rb
+Rails.application.config.session_store :redis_session_store, { ... }
+```
+
 Put rucaptcha in your `Gemfile`:
 
 ```

lib/rucaptcha/engine.rb

@@ -7,6 +7,15 @@ module RuCaptcha
       if RuCaptcha.config.cache_limit >= 1
         RuCaptcha::Captcha.send(:prepend, RuCaptcha::Cache)
       end
+
+      if Rails.application.config.session_store.name.match(/CookieStore/)
+        puts %(
+[RuCaptcha] Your application session has use #{Rails.application.config.session_store}
+this may have Session [Replay Attacks] secure issue in RuCaptcha case.
+We suggest you change it to backend [:active_record_store, :redis_session_store]
+http://guides.rubyonrails.org/security.html#replay-attacks-for-cookiestore-sessions)
+        puts ""
+      end
     end
   end
 end

lib/rucaptcha/version.rb

@@ -1,3 +1,3 @@
 module RuCaptcha
-  VERSION = '1.0.0'
+  VERSION = '1.0.2'
 end