Give warning when application use CookieStore
This commit is contained in:
parent
f8590ad45a
commit
771a5621ff
14
CHANGELOG.md
14
CHANGELOG.md
|
@ -1,3 +1,17 @@
|
||||||
|
1.0.2
|
||||||
|
|
||||||
|
- Revert 1.0.1 changes, still store code in Session, `Rails.cache` not a not place in difference environments.
|
||||||
|
for exampe: Not enable cache, File cache will have bug.
|
||||||
|
- Give a warning when user use CookieStore.
|
||||||
|
|
||||||
|
1.0.1
|
||||||
|
-----
|
||||||
|
|
||||||
|
## Security Notes
|
||||||
|
|
||||||
|
- Fix Session replay secure issue that when Rails application use CookieStore.
|
||||||
|
|
||||||
|
|
||||||
1.0.0
|
1.0.0
|
||||||
-----
|
-----
|
||||||
|
|
||||||
|
|
14
README.md
14
README.md
|
@ -45,6 +45,20 @@ brew install imagemagick ghostscript
|
||||||
|
|
||||||
## Usage
|
## Usage
|
||||||
|
|
||||||
|
**Security Notice!**
|
||||||
|
|
||||||
|
You need change your application Session store from `CookieStore` (Rails default) to backend store location.
|
||||||
|
|
||||||
|
- [:active_session_store](https://github.com/rails/activerecord-session_store)
|
||||||
|
- [:memcached_store](http://api.rubyonrails.org/classes/ActionDispatch/Session/MemCacheStore.html)
|
||||||
|
- [:redis_session_store](https://github.com/roidrage/redis-session-store)
|
||||||
|
|
||||||
|
config/initializers/session_store.rb
|
||||||
|
|
||||||
|
```rb
|
||||||
|
Rails.application.config.session_store :redis_session_store, { ... }
|
||||||
|
```
|
||||||
|
|
||||||
Put rucaptcha in your `Gemfile`:
|
Put rucaptcha in your `Gemfile`:
|
||||||
|
|
||||||
```
|
```
|
||||||
|
|
|
@ -7,6 +7,15 @@ module RuCaptcha
|
||||||
if RuCaptcha.config.cache_limit >= 1
|
if RuCaptcha.config.cache_limit >= 1
|
||||||
RuCaptcha::Captcha.send(:prepend, RuCaptcha::Cache)
|
RuCaptcha::Captcha.send(:prepend, RuCaptcha::Cache)
|
||||||
end
|
end
|
||||||
|
|
||||||
|
if Rails.application.config.session_store.name.match(/CookieStore/)
|
||||||
|
puts %(
|
||||||
|
[RuCaptcha] Your application session has use #{Rails.application.config.session_store}
|
||||||
|
this may have Session [Replay Attacks] secure issue in RuCaptcha case.
|
||||||
|
We suggest you change it to backend [:active_record_store, :redis_session_store]
|
||||||
|
http://guides.rubyonrails.org/security.html#replay-attacks-for-cookiestore-sessions)
|
||||||
|
puts ""
|
||||||
|
end
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
|
@ -1,3 +1,3 @@
|
||||||
module RuCaptcha
|
module RuCaptcha
|
||||||
VERSION = '1.0.0'
|
VERSION = '1.0.2'
|
||||||
end
|
end
|
||||||
|
|
Loading…
Reference in New Issue