Commit ba7c1764 authored by Sytse Sijbrandij's avatar Sytse Sijbrandij

The cookie store is vulnerable to session replay attacks.

parent f81532b5
...@@ -14,6 +14,7 @@ v 6.2.0 ...@@ -14,6 +14,7 @@ v 6.2.0
- Extended User API to expose admin and can_create_group for user creation/updating (Boyan Tabakov) - Extended User API to expose admin and can_create_group for user creation/updating (Boyan Tabakov)
- API: Remove group - API: Remove group
- Avatar upload on profile page with a maximum of 200KB (Steven Thonus) - Avatar upload on profile page with a maximum of 200KB (Steven Thonus)
- Store the sessions in Redis instead of the cookie store
v 6.1.0 v 6.1.0
- Project specific IDs for issues, mr, milestones - Project specific IDs for issues, mr, milestones
......
# Be sure to restart your server when you modify this file. # Be sure to restart your server when you modify this file.
Gitlab::Application.config.session_store :cookie_store, key: '_gitlab_session', Gitlab::Application.config.session_store(
:redis_store, # Using the cookie_store would enable session replay attacks.
key: '_gitlab_session',
secure: Gitlab::Application.config.force_ssl, secure: Gitlab::Application.config.force_ssl,
httponly: true, httponly: true,
path: (Rails.application.config.relative_url_root.nil?) ? '/' : Rails.application.config.relative_url_root path: (Rails.application.config.relative_url_root.nil?) ? '/' : Rails.application.config.relative_url_root
)
# Use the database for sessions instead of the cookie-based default,
# which shouldn't be used to store highly confidential information
# (create the session table with "rails generate session_migration")
# Gitlab::Application.config.session_store :active_record_store
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment