Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Support
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
G
gitlab-ce
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Issues
0
Issues
0
List
Boards
Labels
Milestones
Merge Requests
1
Merge Requests
1
Analytics
Analytics
Repository
Value Stream
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Commits
Issue Boards
Open sidebar
nexedi
gitlab-ce
Commits
ba7c1764
Commit
ba7c1764
authored
Oct 11, 2013
by
Sytse Sijbrandij
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
The cookie store is vulnerable to session replay attacks.
parent
f81532b5
Changes
2
Hide whitespace changes
Inline
Side-by-side
Showing
2 changed files
with
8 additions
and
9 deletions
+8
-9
CHANGELOG
CHANGELOG
+1
-0
config/initializers/session_store.rb
config/initializers/session_store.rb
+7
-9
No files found.
CHANGELOG
View file @
ba7c1764
...
@@ -14,6 +14,7 @@ v 6.2.0
...
@@ -14,6 +14,7 @@ v 6.2.0
- Extended User API to expose admin and can_create_group for user creation/updating (Boyan Tabakov)
- Extended User API to expose admin and can_create_group for user creation/updating (Boyan Tabakov)
- API: Remove group
- API: Remove group
- Avatar upload on profile page with a maximum of 200KB (Steven Thonus)
- Avatar upload on profile page with a maximum of 200KB (Steven Thonus)
- Store the sessions in Redis instead of the cookie store
v 6.1.0
v 6.1.0
- Project specific IDs for issues, mr, milestones
- Project specific IDs for issues, mr, milestones
...
...
config/initializers/session_store.rb
View file @
ba7c1764
# Be sure to restart your server when you modify this file.
# Be sure to restart your server when you modify this file.
Gitlab
::
Application
.
config
.
session_store
:cookie_store
,
key:
'_gitlab_session'
,
Gitlab
::
Application
.
config
.
session_store
(
secure:
Gitlab
::
Application
.
config
.
force_ssl
,
:redis_store
,
# Using the cookie_store would enable session replay attacks.
httponly:
true
,
key:
'_gitlab_session'
,
path:
(
Rails
.
application
.
config
.
relative_url_root
.
nil?
)
?
'/'
:
Rails
.
application
.
config
.
relative_url_root
secure:
Gitlab
::
Application
.
config
.
force_ssl
,
httponly:
true
,
# Use the database for sessions instead of the cookie-based default,
path:
(
Rails
.
application
.
config
.
relative_url_root
.
nil?
)
?
'/'
:
Rails
.
application
.
config
.
relative_url_root
# which shouldn't be used to store highly confidential information
)
# (create the session table with "rails generate session_migration")
# Gitlab::Application.config.session_store :active_record_store
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment