Summary
In this episode, we explore session hijacking and an approach that we can take to limit the risk. There are some user experience and functionality caveats to this approach so they must be taken into consideration as well.rails security 9:27
Chapters
- Introduction (0:00)
- Adding session reset (2:50)
- Demo of verify_session working (4:06)
- Same network fallacy (4:37)
- User experience fallacy (5:33)
- Always use SSL in production (6:43)
- Public IP Address warning (7:26)
- Final Thoughts (7:47)
Resources
Rails Guides - https://guides.rubyonrails.org/security.html#session-hijacking
This episode is sponsored by Honeybadger
This episode is sponsored by Honeybadger
Summary
# app/controllers/application_controller.rb
class ApplicationController < ActionController::Base
before_action :verify_session
private
def verify_session
return if session[:remote_ip] == request.remote_ip
reset_session
session[:remote_ip] = request.remote_ip
end
end# app/views/welcome/index.html.erb session[:remote_ip] => <%= session[:remote_ip] %><br> request.remote_ip => <%= request.remote_ip %>