Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
π Make session handling more secure
* ποΈ Tie remember_me cookie to password hash That way when the password gets changed, existing cookies automatically get invalidated. * ποΈ Invalidate user sessions on password change This will require a user to log in again after their password is changed, either by themselves or through an admin. This is a slight change in behaviour compared to before, but makes sure password changes are enforced across all existing sessions. * β»οΈ remember_key_for_user => signature_key_for_user * ποΈ Invalidate sessions after 15min of inactivity The server has been keeping track of login session for a while, but now it also only considers such (active login) sessions fresh that have been active within the past 15min. That way, a session cookie's lifetime is now also restricted server side. An active socket connection suffices to keep the session alive, as do any other requests using the cookie. As the session tracking happens in-memory, all sessions will become invalid on server restart. However, if the remember me cookie is set, after server restart a passive login will succeed. * ποΈ Limit remember_me validity to 90 days So far that was only done through the cookie duration, and with a year to boot. Now we encode the creation date into the cookie and check against that, if it exceeds the cookie duration the cookie is considered unset. Will prevent reuse of ancient remember me cookies (and force the user to login at least once every 90d). * π Fix unit tests New cookie handling requires a faked flask config object. Related: https://huntr.dev/bounties/d27d232b-2578-4b32-b3b4-74aabdadf629/
- Loading branch information
Showing
8 changed files
with
175 additions
and
28 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.