Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

281 - Enhance Security by Implementing reset_session in SubmittersController #282

Merged
merged 2 commits into from
Nov 27, 2023
Merged

281 - Enhance Security by Implementing reset_session in SubmittersController #282

merged 2 commits into from
Nov 27, 2023

Conversation

Janell-Huyck
Copy link
Contributor

Fixes #281

Description

This PR introduces a crucial security enhancement to our SubmittersController by implementing the reset_session method. This change is designed to mitigate session fixation attacks, a type of security vulnerability where an attacker can potentially hijack a user's session.

Changes Made

Incorporated reset_session in the create action of the SubmittersController.
This change ensures that a new session is started every time a submitter account is created, invalidating any previously existing session identifiers.

Implementation Details

The reset_session method is called immediately before we set the new submitter_id in the session after successfully creating a new submitter.
This effectively clears any existing session data and establishes a new, clean session.

Testing

Added RSpec tests to verify that the old session is cleared and a new session is established with a new submitter_id after the creation of a new submitter.

Impact

This change adds an extra layer of security for our users and protects the integrity of their sessions, especially during the account creation process.
There are no expected impacts on performance or existing functionalities.

@Janell-Huyck Janell-Huyck changed the title 281 Enhance Security by Implementing reset_session in SubmittersController 281 - Enhance Security by Implementing reset_session in SubmittersController Nov 15, 2023
@Janell-Huyck Janell-Huyck changed the title 281 - Enhance Security by Implementing reset_session in SubmittersController WIP 281 - Enhance Security by Implementing reset_session in SubmittersController Nov 21, 2023
hortongn
hortongn requested changes Nov 21, 2023
View reviewed changes
Copy link
Member

@hortongn hortongn left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@Janell-Huyck your specs still pass even when the reset_session is removed.

@Janell-Huyck
Copy link
Contributor Author

@Janell-Huyck your specs still pass even when the reset_session is removed.

Fixed it. Thanks for checking!

@Janell-Huyck Janell-Huyck changed the title WIP 281 - Enhance Security by Implementing reset_session in SubmittersController 281 - Enhance Security by Implementing reset_session in SubmittersController Nov 21, 2023
hortongn
hortongn approved these changes Nov 27, 2023
View reviewed changes
Copy link
Member

@hortongn hortongn left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

👍 merging

@hortongn hortongn merged commit 4d66555 into qa Nov 27, 2023
2 checks passed
@hortongn hortongn deleted the security-281-prevent-session-fixation branch November 27, 2023 15:49
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@hortongn hortongn hortongn approved these changes

Assignees

@hortongn hortongn

Labels
Security
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Prevent session fixation attack in submitters controller
2 participants
@Janell-Huyck @hortongn