Commit ba7c1764 authored by Sytse Sijbrandij's avatar Sytse Sijbrandij

The cookie store is vulnerable to session replay attacks.

parent f81532b5
...@@ -14,6 +14,7 @@ v 6.2.0 ...@@ -14,6 +14,7 @@ v 6.2.0
- Extended User API to expose admin and can_create_group for user creation/updating (Boyan Tabakov) - Extended User API to expose admin and can_create_group for user creation/updating (Boyan Tabakov)
- API: Remove group - API: Remove group
- Avatar upload on profile page with a maximum of 200KB (Steven Thonus) - Avatar upload on profile page with a maximum of 200KB (Steven Thonus)
- Store the sessions in Redis instead of the cookie store
v 6.1.0 v 6.1.0
- Project specific IDs for issues, mr, milestones - Project specific IDs for issues, mr, milestones
......
# Be sure to restart your server when you modify this file. # Be sure to restart your server when you modify this file.
Gitlab::Application.config.session_store :cookie_store, key: '_gitlab_session', Gitlab::Application.config.session_store(
secure: Gitlab::Application.config.force_ssl, :redis_store, # Using the cookie_store would enable session replay attacks.
httponly: true, key: '_gitlab_session',
path: (Rails.application.config.relative_url_root.nil?) ? '/' : Rails.application.config.relative_url_root secure: Gitlab::Application.config.force_ssl,
httponly: true,
# Use the database for sessions instead of the cookie-based default, path: (Rails.application.config.relative_url_root.nil?) ? '/' : Rails.application.config.relative_url_root
# which shouldn't be used to store highly confidential information )
# (create the session table with "rails generate session_migration")
# Gitlab::Application.config.session_store :active_record_store
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment