Give warning when application use CookieStore

This commit is contained in:
Jason Lee 2016-10-26 18:03:15 +08:00
parent f8590ad45a
commit 771a5621ff
4 changed files with 38 additions and 1 deletions

View File

@ -1,3 +1,17 @@
1.0.2
- Revert 1.0.1 changes, still store code in Session, `Rails.cache` not a not place in difference environments.
for exampe: Not enable cache, File cache will have bug.
- Give a warning when user use CookieStore.
1.0.1
-----
## Security Notes
- Fix Session replay secure issue that when Rails application use CookieStore.
1.0.0 1.0.0
----- -----

View File

@ -45,6 +45,20 @@ brew install imagemagick ghostscript
## Usage ## Usage
**Security Notice!**
You need change your application Session store from `CookieStore` (Rails default) to backend store location.
- [:active_session_store](https://github.com/rails/activerecord-session_store)
- [:memcached_store](http://api.rubyonrails.org/classes/ActionDispatch/Session/MemCacheStore.html)
- [:redis_session_store](https://github.com/roidrage/redis-session-store)
config/initializers/session_store.rb
```rb
Rails.application.config.session_store :redis_session_store, { ... }
```
Put rucaptcha in your `Gemfile`: Put rucaptcha in your `Gemfile`:
``` ```

View File

@ -7,6 +7,15 @@ module RuCaptcha
if RuCaptcha.config.cache_limit >= 1 if RuCaptcha.config.cache_limit >= 1
RuCaptcha::Captcha.send(:prepend, RuCaptcha::Cache) RuCaptcha::Captcha.send(:prepend, RuCaptcha::Cache)
end end
if Rails.application.config.session_store.name.match(/CookieStore/)
puts %(
[RuCaptcha] Your application session has use #{Rails.application.config.session_store}
this may have Session [Replay Attacks] secure issue in RuCaptcha case.
We suggest you change it to backend [:active_record_store, :redis_session_store]
http://guides.rubyonrails.org/security.html#replay-attacks-for-cookiestore-sessions)
puts ""
end
end end
end end
end end

View File

@ -1,3 +1,3 @@
module RuCaptcha module RuCaptcha
VERSION = '1.0.0' VERSION = '1.0.2'
end end