The cookie store is vulnerable to session replay attacks.

Sytse Sijbrandij
1 parent f81532b5
Showing 2 changed files with 8 additions and 9 deletions Show diff stats
CHANGELOG
config/initializers/session_store.rb
@@ -14,6 +14,7 @@ v 6.2.0
   - Extended User API to expose admin and can_create_group for user creation/updating (Boyan Tabakov)
   - API: Remove group
   - Avatar upload on profile page with a maximum of 200KB (Steven Thonus)
+  - Store the sessions in Redis instead of the cookie store
 v 6.1.0
   - Project specific IDs for issues, mr, milestones
 # Be sure to restart your server when you modify this file.
-Gitlab::Application.config.session_store :cookie_store, key: '_gitlab_session',
-                                                      secure: Gitlab::Application.config.force_ssl,
-                                                      httponly: true,
-                                                      path: (Rails.application.config.relative_url_root.nil?) ? '/' : Rails.application.config.relative_url_root
-
-# Use the database for sessions instead of the cookie-based default,
-# which shouldn't be used to store highly confidential information
-# (create the session table with "rails generate session_migration")
-# Gitlab::Application.config.session_store :active_record_store
+Gitlab::Application.config.session_store(
+  :redis_store, # Using the cookie_store would enable session replay attacks.
+  key: '_gitlab_session',
+  secure: Gitlab::Application.config.force_ssl,
+  httponly: true,
+  path: (Rails.application.config.relative_url_root.nil?) ? '/' : Rails.application.config.relative_url_root
+)
	@@ -14,6 +14,7 @@ v 6.2.0		@@ -14,6 +14,7 @@ v 6.2.0
14	- Extended User API to expose admin and can_create_group for user creation/updating (Boyan Tabakov)	14	- Extended User API to expose admin and can_create_group for user creation/updating (Boyan Tabakov)
15	- API: Remove group	15	- API: Remove group
16	- Avatar upload on profile page with a maximum of 200KB (Steven Thonus)	16	- Avatar upload on profile page with a maximum of 200KB (Steven Thonus)
		17	+ - Store the sessions in Redis instead of the cookie store
17		18
18	v 6.1.0	19	v 6.1.0
19	- Project specific IDs for issues, mr, milestones	20	- Project specific IDs for issues, mr, milestones
1	# Be sure to restart your server when you modify this file.	1	# Be sure to restart your server when you modify this file.
2		2
3	-Gitlab::Application.config.session_store :cookie_store, key: '_gitlab_session',
4	- secure: Gitlab::Application.config.force_ssl,
5	- httponly: true,
6	- path: (Rails.application.config.relative_url_root.nil?) ? '/' : Rails.application.config.relative_url_root
7	-
8	-# Use the database for sessions instead of the cookie-based default,
9	-# which shouldn't be used to store highly confidential information
10	-# (create the session table with "rails generate session_migration")
11	-# Gitlab::Application.config.session_store :active_record_store	3	+Gitlab::Application.config.session_store(
		4	+ :redis_store, # Using the cookie_store would enable session replay attacks.
		5	+ key: '_gitlab_session',
		6	+ secure: Gitlab::Application.config.force_ssl,
		7	+ httponly: true,
		8	+ path: (Rails.application.config.relative_url_root.nil?) ? '/' : Rails.application.config.relative_url_root
		9	+)