Insecure session management - Change Password - Ruby

Insecure session management - Change Password - Ruby

Need

Secure session management after changing passwords

Context

  • Usage of Ruby 2.0+ for developing Ruby applications
  • Usage of Rails framework for building web applications

Description

Non compliant code

        class UsersController < ApplicationController
  def change_password
    if current_user && current_user.authenticate(params[:old_password])
      current_user.password = params[:new_password]
      current_user.save
      redirect_to root_path, notice: 'Password changed successfully'
    else
      redirect_to change_password_path, alert: 'Old password is incorrect'
    end
  end
end
        
        

The above code is vulnerable to insecure session management after a password change. Here's why:

In the change_password method, the current user's password is changed if the old password is authenticated correctly. However, after the password is changed, the session remains open and the user is redirected to the root path. This is a security vulnerability because if an attacker manages to change the password, they can continue to use the same session to perform actions on behalf of the user.

The session should be invalidated whenever a password change occurs to prevent any potential misuse. This can be done by calling reset_session after the password is changed. This will remove any session-specific information and help prevent session fixation attacks.

Steps

  • Implement a session expiration mechanism to invalidate the session after a password change.
  • Generate a new session token and update the session with the new token after a password change.
  • Ensure that the session token is securely stored and transmitted.
  • Consider implementing additional security measures such as multi-factor authentication.

Compliant code

        class UsersController < ApplicationController
  def change_password
    if current_user && current_user.authenticate(params[:old_password])
      current_user.password = params[:new_password]
      current_user.save
      sign_out current_user
      redirect_to new_session_path, notice: 'Password changed successfully. Please sign in again.'
    else
      redirect_to change_password_path, alert: 'Old password is incorrect'
    end
  end
end
        
        

The updated code introduces a session invalidation mechanism after a password change. This is done by signing out the current_user after their password has been successfully changed. The user is then redirected to the sign in page with a notice informing them that their password has been changed successfully and they need to sign in again.

This change ensures that the session is invalidated after a password change, mitigating the risk of session hijacking. If an attacker had previously obtained the session token, they would be unable to use it after the password change as the session associated with that token would no longer be valid.

In addition to this, consider implementing additional security measures such as multi-factor authentication to further enhance the security of your application.

References