1. 30 Mar, 2022 4 commits
  2. 03 Feb, 2022 1 commit
  3. 02 Feb, 2022 9 commits
  4. 31 Jan, 2022 10 commits
  5. 26 Nov, 2021 11 commits
  6. 06 Nov, 2021 2 commits
  7. 05 Nov, 2021 3 commits
    • Eugen Rochko's avatar
      Bump version to 3.4.2 · 8a74d851
      Eugen Rochko authored
    • Claire's avatar
    • Claire's avatar
      Fix reviving revoked sessions and invalidating login (#16943) · 3251b8ee
      Claire authored
      Up until now, we have used Devise's Rememberable mechanism to re-log users
      after the end of their browser sessions. This mechanism relies on a signed
      cookie containing a token. That token was stored on the user's record,
      meaning it was shared across all logged in browsers, meaning truly revoking
      a browser's ability to auto-log-in involves revoking the token itself, and
      revoking access from *all* logged-in browsers.
      We had a session mechanism that dynamically checks whether a user's session
      has been disabled, and would log out the user if so. However, this would only
      clear a session being actively used, and a new one could be respawned with
      the `remember_user_token` cookie.
      In practice, this caused two issues:
      - sessions could be revived after being closed from /auth/edit (security issue)
      - auto-log-in would be disabled for *all* browsers after logging out from one
        of them
      This PR removes the `remember_token` mechanism and treats the `_session_id`
      cookie/token as a browser-specific `remember_token`, fixing both issues.