Rails 4: Does the session establish session commit by resetting the session after login?

Question

Rails 4: Does the session establish session commit by resetting the session after login?

I'm looking at the Rails Security Guide and I'm trying to figure out if I need to tackle the problem of fixing a session by resetting the user session after login and assigning a new session to the user.

I am using Devise 3.4.1 right now. Does Devise automate this? If not, what do I need to change to protect my site from session fixation?

+3

security ruby-on-rails ruby-on-rails-4 session devise

HoodieOnRails 04 Jul 15 at 3:55

source to share

1 answer

Brad werth · Accepted Answer · 2015-07-04T08:09:26+0000

Devise is not vulnerable to session commit attacks, and this commit on Nov 20, 2010 ( linked blog post ).

This is confirmed by José Valim, one of its authors, in a post on CSRF token fixation issues.

Rails 4: Does the session establish session commit by resetting the session after login?

More articles: