Commit 038d5305 authored by Imre Farkas's avatar Imre Farkas

Remove ability to revoke active session

Session ID is used as a parameter for the revoke session endpoint but it
should never be included in the HTML as an attacker could obtain it via
XSS.
parent 44c4aad9
...@@ -4,13 +4,4 @@ class Profiles::ActiveSessionsController < Profiles::ApplicationController ...@@ -4,13 +4,4 @@ class Profiles::ActiveSessionsController < Profiles::ApplicationController
def index def index
@sessions = ActiveSession.list(current_user).reject(&:is_impersonated) @sessions = ActiveSession.list(current_user).reject(&:is_impersonated)
end end
def destroy
ActiveSession.destroy(current_user, params[:id])
respond_to do |format|
format.html { redirect_to profile_active_sessions_url, status: :found }
format.js { head :ok }
end
end
end end
...@@ -23,9 +23,3 @@ ...@@ -23,9 +23,3 @@
%strong Signed in %strong Signed in
on on
= l(active_session.created_at, format: :short) = l(active_session.created_at, format: :short)
- unless is_current_session
.float-right
= link_to profile_active_session_path(active_session.session_id), data: { confirm: 'Are you sure? The device will be signed out of GitLab.' }, method: :delete, class: "btn btn-danger prepend-left-10" do
%span.sr-only Revoke
Revoke
---
title: Do not display impersonated sessions under active sessions and remove ability
to revoke session
merge_request:
author:
type: security
...@@ -4,7 +4,7 @@ ...@@ -4,7 +4,7 @@
> in GitLab 10.8. > in GitLab 10.8.
GitLab lists all devices that have logged into your account. This allows you to GitLab lists all devices that have logged into your account. This allows you to
review the sessions and revoke any of it that you don't recognize. review the sessions.
## Listing all active sessions ## Listing all active sessions
...@@ -12,9 +12,3 @@ review the sessions and revoke any of it that you don't recognize. ...@@ -12,9 +12,3 @@ review the sessions and revoke any of it that you don't recognize.
1. Navigate to the **Active Sessions** tab. 1. Navigate to the **Active Sessions** tab.
![Active sessions list](img/active_sessions_list.png) ![Active sessions list](img/active_sessions_list.png)
## Revoking a session
1. Navigate to your [profile's](#profile-settings) **Settings > Active Sessions**.
1. Click on **Revoke** besides a session. The current session cannot be
revoked, as this would sign you out of GitLab.
...@@ -82,31 +82,4 @@ describe 'Profile > Active Sessions', :clean_gitlab_redis_shared_state do ...@@ -82,31 +82,4 @@ describe 'Profile > Active Sessions', :clean_gitlab_redis_shared_state do
expect(page).not_to have_content('Chrome on Windows') expect(page).not_to have_content('Chrome on Windows')
end end
end end
it 'User can revoke a session', :js, :redis_session_store do
Capybara::Session.new(:session1)
Capybara::Session.new(:session2)
# set an additional session in another browser
using_session :session2 do
gitlab_sign_in(user)
end
using_session :session1 do
gitlab_sign_in(user)
visit profile_active_sessions_path
expect(page).to have_link('Revoke', count: 1)
accept_confirm { click_on 'Revoke' }
expect(page).not_to have_link('Revoke')
end
using_session :session2 do
visit profile_active_sessions_path
expect(page).to have_content('You need to sign in or sign up before continuing.')
end
end
end end
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment