The cookie store is vulnerable to session replay attacks.

author: Sytse Sijbrandij <sytse@dosire.com> 2013-10-11 19:54:38 +0400
committer: Sytse Sijbrandij <sytse@dosire.com> 2013-10-11 19:54:46 +0400
commit: ba7c1764be87f272759471bde01b92dcc147e952 (patch)
tree: 569b61144a8ba0ba607a5b805827f3d108daeaf5 /config
parent: f81532b5b929d5fa8fdf72a71eb036b0cf27735b (diff)
1 files changed, 7 insertions, 9 deletions
diff --git a/config/initializers/session_store.rb b/config/initializers/session_store.rb
index 52a099c3e16..501cad4a838 100644
--- a/config/initializers/session_store.rb
+++ b/config/initializers/session_store.rb
@@ -1,11 +1,9 @@
 # Be sure to restart your server when you modify this file.
 
-Gitlab::Application.config.session_store :cookie_store, key: '_gitlab_session',
-                                                      secure: Gitlab::Application.config.force_ssl,
-                                                      httponly: true,
-                                                      path: (Rails.application.config.relative_url_root.nil?) ? '/' : Rails.application.config.relative_url_root
-
-# Use the database for sessions instead of the cookie-based default,
-# which shouldn't be used to store highly confidential information
-# (create the session table with "rails generate session_migration")
-# Gitlab::Application.config.session_store :active_record_store
+Gitlab::Application.config.session_store(
+  :redis_store, # Using the cookie_store would enable session replay attacks.
+  key: '_gitlab_session',
+  secure: Gitlab::Application.config.force_ssl,
+  httponly: true,
+  path: (Rails.application.config.relative_url_root.nil?) ? '/' : Rails.application.config.relative_url_root
+)
author	Sytse Sijbrandij <sytse@dosire.com>	2013-10-11 19:54:38 +0400
committer	Sytse Sijbrandij <sytse@dosire.com>	2013-10-11 19:54:46 +0400
commit	ba7c1764be87f272759471bde01b92dcc147e952 (patch)
tree	569b61144a8ba0ba607a5b805827f3d108daeaf5 /config
parent	f81532b5b929d5fa8fdf72a71eb036b0cf27735b (diff)