Commit ba7c1764be87f272759471bde01b92dcc147e952
1 parent
f81532b5
Exists in
master
and in
4 other branches
The cookie store is vulnerable to session replay attacks.
Showing
2 changed files
with
8 additions
and
9 deletions
Show diff stats
CHANGELOG
| ... | ... | @@ -14,6 +14,7 @@ v 6.2.0 |
| 14 | 14 | - Extended User API to expose admin and can_create_group for user creation/updating (Boyan Tabakov) |
| 15 | 15 | - API: Remove group |
| 16 | 16 | - Avatar upload on profile page with a maximum of 200KB (Steven Thonus) |
| 17 | + - Store the sessions in Redis instead of the cookie store | |
| 17 | 18 | |
| 18 | 19 | v 6.1.0 |
| 19 | 20 | - Project specific IDs for issues, mr, milestones | ... | ... |
config/initializers/session_store.rb
| 1 | 1 | # Be sure to restart your server when you modify this file. |
| 2 | 2 | |
| 3 | -Gitlab::Application.config.session_store :cookie_store, key: '_gitlab_session', | |
| 4 | - secure: Gitlab::Application.config.force_ssl, | |
| 5 | - httponly: true, | |
| 6 | - path: (Rails.application.config.relative_url_root.nil?) ? '/' : Rails.application.config.relative_url_root | |
| 7 | - | |
| 8 | -# Use the database for sessions instead of the cookie-based default, | |
| 9 | -# which shouldn't be used to store highly confidential information | |
| 10 | -# (create the session table with "rails generate session_migration") | |
| 11 | -# Gitlab::Application.config.session_store :active_record_store | |
| 3 | +Gitlab::Application.config.session_store( | |
| 4 | + :redis_store, # Using the cookie_store would enable session replay attacks. | |
| 5 | + key: '_gitlab_session', | |
| 6 | + secure: Gitlab::Application.config.force_ssl, | |
| 7 | + httponly: true, | |
| 8 | + path: (Rails.application.config.relative_url_root.nil?) ? '/' : Rails.application.config.relative_url_root | |
| 9 | +) | ... | ... |