Improve session security in Rails apps

Posted in February 2015 on the aTech Media blog Open Source and Ruby

In Rails applications, it’s really easy to allow users to login to your application. You ask them for a username & password, you check they’re correct and you pop their ID into a session. It probably looks a bit like this:

if user = User.authenticate(username, password)  
  session[:user_id] = user.id
end

This “works” however it isn’t overly secure. While Rails will ensure users can’t view or tamper with your session contents, it does nothing to stop someone stealing another user’s session cookie and using it themselves to impersonate them. How might someone get your session cookie, you ask?

A man in the middle attack on an insecure connection.
Physically stealing it from someone’s browser while they get themselves a coffee and forget to lock their computer.
Losing your laptop/device with your (persistent) session cookies still stored.

If you’re just storing the user’s ID in the session, there’s nothing you can do to revoke the access, short of changing the user’s ID which probably isn’t practical. You could add another token to the session which you could then change on the server to invalidate the session but it’s not very elegant.

Fingerpints

To solve these issues, I’ve created a gem which stores your user session data in your database and provides you with total control over which sessions are active.

When someone logs into your application, they are given a new session token which is stored in a cookie.
This session token is then sent to your server on every request and can be used to lookup the user who “created” it.
On every request, we update the session with the last activity timestamp, the IP & path which the user visited. This allows you to see where a user currently is within your app and identify inactive sessions. Session which aren’t used for 12 hours are expired and any further requests with that session ID will require the user to login again.
You can provide them with a list of their sessions along with the user agent, last IP which used it and the time. If a user sees a suspicious session, they can revoke its access to their account.

What about 'remember me'?

This same system can be used to allow certain users to remember their logins in some browsers. To do this with Authie, you can simply mark their session as persistent. This essentially disables the inactivity check and allows the token to continue to work for up to 3 months (although you can configure this).

How do I get it?

It’s really easy to get started. Just check out the README & install the gem into your application.

Tell us how you feel about this post?