Project

General

Profile

Actions
Copy link

Defect #15567

closed

cookiestore / session management

Added by Jan Niggemann (redmine.org team member) about 11 years ago. Updated about 11 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Jan Niggemann (redmine.org team member)
Category:
Security
Target version:
-
Start date:
Due date:
% Done:

0%

Estimated time:
Resolution:
Affected version:

Description

I don't know if this is a true threat or not, but redmine is explicitly mentioned here:
http://maverickblogging.com/list-of-websites-using-ruby-on-rails-cookiestore-for-session-management/

http://projects.webappsec.org/w/page/13246944/Insufficient%20Session%20Expiration

Reply: No, Rails' CookieStore isn't broken

Do we need to to something about this?

Actions
Copy link
 #1

Updated by Jean-Philippe Lang about 11 years ago

Redmine adds a (configurable) maximum lifetime and an idle timeout to sessions so that cookies don't persist "for life". Anyone who runs Redmine is free to switch to ActiveRecordStore or MemCacheStore where sessions are invalidated when the user logs out.

Actions
Copy link
 #2

Updated by Jan Niggemann (redmine.org team member) about 11 years ago

  • Status changed from New to Confirmed
  • Assignee set to Jan Niggemann (redmine.org team member)

It would be a good idea to add information to the RedmineSettings, I'll take care of that.

Actions
Copy link
 #3

Updated by Jan Niggemann (redmine.org team member) about 11 years ago

  • Status changed from Confirmed to Resolved
  • Private changed from Yes to No

Added some information to RedmineSettings

Actions
Copy link
 #4

Updated by Jan Niggemann (redmine.org team member) about 11 years ago

  • Status changed from Resolved to Closed
Actions
Copy link

Also available in: Atom PDF