Rails 4: Does the session establish session commit by resetting the session after login?
I'm looking at the Rails Security Guide and I'm trying to figure out if I need to tackle the problem of fixing a session by resetting the user session after login and assigning a new session to the user.
I am using Devise 3.4.1 right now. Does Devise automate this? If not, what do I need to change to protect my site from session fixation?
+3
source to share
1 answer
Devise is not vulnerable to session commit attacks, and this commit on Nov 20, 2010 ( linked blog post ).
This is confirmed by JosΓ© Valim, one of its authors, in a post on CSRF token fixation issues.
+4
source to share