This post is about checking “The Gates” of your Rails application.
Every web application is a set of urls. Some of them are publically available and some are available only to you (e.g. your bank account page should be available only to you and your spouse).
Modern web application authentication works as follows:
- there is log in page where you enter your username/password
- backend checks that combination
- if this combination is valid, backend returns in Set-Cookie header long, unique, hard to guess string of characters. This is session string.
- Browser takes that value and sends it in Cookie header in all following requests.
- Backend checks cookie value and it needs to be same as one assigned to username/password combination
- there should be logout endpoint that removes session string form username/password combination.
More about Ruby on Rails session security can be found here.
If you want to start your own session management, this could go wrong in infinity number of combinations.
So what can you do? Use Devise gem with following options:
- store session in database
- session must expire after some user inactivity time
- log out feature must be implemented.
- rotate devise key value (most frequently means more security).
In future security audits you only need to check devise configuration, that devise if updated with (possible) latest security patches and that devise security key rotation is active.