Devise has been reported to be vulnerable to CSRF token fixation attacks. The attack can only be exploited if the attacker can set the target session, either by subdomain cookies (similar to described here) or by fixation over the same Wi-Fi network. If the user knows the CSRF token, cross-site forgery requests can be made. … »

Devise 3.0 rc version with Rails 4 compatibility and new 2.2.4 stable version. Simple Form, Responders, Show For and Mail Form versions with Rails 4 compatibility.

We are very glad to announce the logos for two of our favorite Rails open source projects… Simple Form: And Devise: We would like to congratulate our designer, Bruna Kochi, who was able to capture the essence of each project in their logos. We will write about their design process soon! Those projects have been … »

Hi everybody. I’d like to announce that Devise v2.2.3, v2.1.3, v2.0.5 and v1.5.4 have been released with a security patch. Upgrade immediately unless you are using PostgreSQL or SQLite3. Users of all other databases (including NoSQL ones) require immediate upgrade. Using a specially crafted request, an attacker could trick the database type conversion code to … »

In this blog post we talk about a new feature upcoming on Devise 2.1 that aims to provide developers faster feedback in case a model is missing a field required by Devise behaviors.

Devise 2.0 was just released. This version is not a big refactoring, nor contains stellar features, it is simply another step towards a very mature authentication library.