Insecure session expiration time

Need

Enforce secure session expiration time

Context

• Requirement of Ruby version 2.0 or higher

• Usage of ActionPack for handling web requests and managing controllers in a Ruby on Rails application

• Usage of ActiveRecord for Object-Relational Mapping (ORM) in database operations

• Usage of ActiveSupport for extending Ruby on Rails with additional utility methods and functionalities

Description

1. Non compliant code

# app/controllers/application_controller.rb
class ApplicationController < ActionController::Base
  protect_from_forgery with: :exception
  before_action :set_session

  private

    session[:user_id] = current_user.id...

In the above code, the `set_session` method is setting the `user_id` in the session. This is done for every request that is made to the application. However, there is no code to expire the session after a certain period of inactivity. In this case, if a user logs in and then leaves their computer without logging out, their session will remain active indefinitely. This can be a security risk because if an attacker somehow gains access to the user's computer, they can use the still-active session to impersonate the user and perform actions on their behalf. This vulnerability is known as "Insecure session expiration time". It's important to have a timeout for user sessions to prevent potential unauthorized access.

2. Steps

• Set a proper session expiration time for user sessions.

• Implement a mechanism to track user activity and reset the session expiration time on each user interaction.

• Use a secure session storage mechanism to store session data.

• Consider implementing additional security measures such as session invalidation on logout or password change.

3. Secure code example

# app/controllers/application_controller.rb
class ApplicationController < ActionController::Base
  protect_from_forgery with: :exception
  before_action :set_session

  private

    session[:user_id] = current_user.id...

The updated code now includes a session expiration time. When the session is set, an expiration time is also set 5 minutes into the future. This is done with the line `session[:expires_at] = Time.current + 5.minutes`. A new method `check_session` is also added. This method checks if the current time is greater than the session expiration time. If it is, the session is reset, effectively logging out the user. If it is not, the session expiration time is reset to 5 minutes into the future. This means that any interaction from the user will reset the session expiration time, keeping them logged in as long as they are active. This code should be called at the beginning of each action in your controllers to ensure the session is always checked. This can be done by adding `before_action :check_session` to your controllers. This solution ensures that user sessions will expire after 5 minutes of inactivity, addressing the identified vulnerability.

References

• 068. Insecure session expiration time

On this page