Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Allow use of secure session only #199

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Allow use of secure session only #199

wants to merge 1 commit into from
+56 −14

Conversation

tmandke
Copy link

@tmandke tmandke commented Mar 28, 2023

This change allows the disabling of fallback used to access old, insecure sessions, and rewrite them as secure sessions. The fallback was originally added as part of the mitigation of CVE-2019-25025 several years back.

Motivation

This fallback mechanism was added 4 years ago. In many cases, or at least in our case, the expiry on old, insecure, sessions has long since passed. We'd like the ability to disable the fallback entirely as it will never be a valid path for us.

@tmandke tmandke force-pushed the optional-insecure-session-fallback branch from 23ccf4f to 0eb5495 Compare March 28, 2023 17:48
@stevenharman stevenharman force-pushed the optional-insecure-session-fallback branch 2 times, most recently from 0db1d35 to 7743696 Compare November 3, 2023 15:03
@stevenharman
Copy link
Contributor

👋 Hello! Anything we can do to help this one along? We'd love to get back on the mainline version.

Thank you.

@stevenharman
Copy link
Contributor

😄 bump! Any hopes of getting this merged?

@stevenharman stevenharman force-pushed the optional-insecure-session-fallback branch 2 times, most recently from 11b5406 to ba695f3 Compare March 26, 2025 12:32
@stevenharman stevenharman force-pushed the optional-insecure-session-fallback branch 2 times, most recently from 18cd1ee to e9fed90 Compare April 2, 2025 18:58
@tmandke @stevenharman
Make fetching insecure session fallback configurable
44e4b7e 
This change allows the disabling of fallback used to access old,
insecure sessions, and rewrite them as secure sessions. The fallback was
originally added as part of the mitigation of CVE-2019-25025 several
years back.

However, this fallback mechanism was added over 5 years ago. In many
cases, or at least in our case, the expiry on old, insecure, sessions
has long since passed. We'd like the ability to disable the fallback
entirely as it will never be a valid path for us.

See: rails#151

Also, we had to improve our patch for
`ActionDispatch::Assertions::RoutingAssertions::WithIntegrationRouting`
to handle middleware correctly. This is the same implementation as was
added in Rails 8.0.

See: rails/rails#54705
@stevenharman stevenharman force-pushed the optional-insecure-session-fallback branch from e9fed90 to 44e4b7e Compare April 3, 2025 20:32
@stevenharman
Copy link
Contributor

@byroot I had to further update the patch for ActionDispatch::Assertions::RoutingAssertions::WithIntegrationRouting for these tests to pass. I worry that we're chasing a moving target - as the underlying test infra in Rails improves/changes, we have to constantly patch our test setup to be compatible. Is there a better way to do this?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@tmandke @stevenharman