mirror of https://github.com/tootsuite/mastodon
6da135a493
Up until now, we have used Devise's Rememberable mechanism to re-log users after the end of their browser sessions. This mechanism relies on a signed cookie containing a token. That token was stored on the user's record, meaning it was shared across all logged in browsers, meaning truly revoking a browser's ability to auto-log-in involves revoking the token itself, and revoking access from *all* logged-in browsers. We had a session mechanism that dynamically checks whether a user's session has been disabled, and would log out the user if so. However, this would only clear a session being actively used, and a new one could be respawned with the `remember_user_token` cookie. In practice, this caused two issues: - sessions could be revived after being closed from /auth/edit (security issue) - auto-log-in would be disabled for *all* browsers after logging out from one of them This PR removes the `remember_token` mechanism and treats the `_session_id` cookie/token as a browser-specific `remember_token`, fixing both issues. |
||
---|---|---|
.. | ||
account_suggestions | ||
admin | ||
concerns | ||
form | ||
web | ||
account.rb | ||
account_alias.rb | ||
account_conversation.rb | ||
account_deletion_request.rb | ||
account_domain_block.rb | ||
account_filter.rb | ||
account_identity_proof.rb | ||
account_migration.rb | ||
account_moderation_note.rb | ||
account_note.rb | ||
account_pin.rb | ||
account_stat.rb | ||
account_statuses_cleanup_policy.rb | ||
account_suggestions.rb | ||
account_summary.rb | ||
account_warning.rb | ||
account_warning_preset.rb | ||
admin.rb | ||
announcement.rb | ||
announcement_filter.rb | ||
announcement_mute.rb | ||
announcement_reaction.rb | ||
application_record.rb | ||
backup.rb | ||
block.rb | ||
bookmark.rb | ||
canonical_email_block.rb | ||
context.rb | ||
conversation.rb | ||
conversation_mute.rb | ||
custom_emoji.rb | ||
custom_emoji_category.rb | ||
custom_emoji_filter.rb | ||
custom_filter.rb | ||
device.rb | ||
domain_allow.rb | ||
domain_block.rb | ||
email_domain_block.rb | ||
encrypted_message.rb | ||
export.rb | ||
favourite.rb | ||
featured_tag.rb | ||
feed.rb | ||
follow.rb | ||
follow_recommendation.rb | ||
follow_recommendation_filter.rb | ||
follow_recommendation_suppression.rb | ||
follow_request.rb | ||
home_feed.rb | ||
identity.rb | ||
import.rb | ||
instance.rb | ||
instance_filter.rb | ||
invite.rb | ||
invite_filter.rb | ||
ip_block.rb | ||
list.rb | ||
list_account.rb | ||
list_feed.rb | ||
login_activity.rb | ||
marker.rb | ||
media_attachment.rb | ||
mention.rb | ||
message_franking.rb | ||
mute.rb | ||
notification.rb | ||
one_time_key.rb | ||
poll.rb | ||
poll_vote.rb | ||
preview_card.rb | ||
public_feed.rb | ||
relationship_filter.rb | ||
relay.rb | ||
remote_follow.rb | ||
report.rb | ||
report_filter.rb | ||
report_note.rb | ||
rule.rb | ||
scheduled_status.rb | ||
search.rb | ||
session_activation.rb | ||
setting.rb | ||
site_upload.rb | ||
status.rb | ||
status_pin.rb | ||
status_stat.rb | ||
system_key.rb | ||
tag.rb | ||
tag_feed.rb | ||
tag_filter.rb | ||
tombstone.rb | ||
trending_tags.rb | ||
unavailable_domain.rb | ||
user.rb | ||
user_invite_request.rb | ||
web.rb | ||
webauthn_credential.rb |