Comments on: Improve remember me cookie expiration in Devise (CVE-2015-8314)

By: Richard Baptist

Richard Baptist — Mon, 08 Feb 2016 09:17:00 +0000

Is there a mailing list for security announcements on the Devise gem? Have you considered posting this in the Ruby security announcements Ruby group?

By: Rodrigo Rosenfeld Rosas

Rodrigo Rosenfeld Rosas — Tue, 19 Jan 2016 11:55:00 +0000

In reply to Rodrigo Rosenfeld Rosas.

Hmm, I just realized we used a custom strategy for our own rememberable code which is not affected by this exploit. In our case the cookie is signed and contains the expire_at key. It seems I have created this strategy exactly due to this issue because this is the single comment in the code:

# make sure no permanent hacked cookie could be used:

Actually, I think this was initially created due to another issue regarding expiration handling but when I wrote the new strategy I noticed that the expire_at cookie should be signed.

By: Rodrigo Rosenfeld Rosas

Rodrigo Rosenfeld Rosas — Tue, 19 Jan 2016 10:27:00 +0000

In reply to josevalim. Oh, I always thought the expire was set in the cookie and signed. Thanks for letting us know, will upgrade immediately!

By: josevalim

josevalim — Tue, 19 Jan 2016 10:26:00 +0000

In reply to Rodrigo Rosenfeld Rosas. The 2 weeks is stored in the client, as part of the "Expires" value in the Set-Cookie header. So anyone can strip the Expires from the cookie and continue using it. That's why we have decided to move the expire date to inside the cookie and sign it, so the server has control over the expires and users will no longer be able to fiddle with it.

By: Rodrigo Rosenfeld Rosas

Rodrigo Rosenfeld Rosas — Tue, 19 Jan 2016 10:07:00 +0000

Hi, sorry but it’s not clear to me. Even if the user can steal the cookies, why would them be able to access the application indefinitely? If the remember-me cookie is valid for 2 weeks, for example, shouldn’t the cookie become invalid after that even if it is stolen?