Authentication DIY

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

Authentication DIY

0x01
I decided to hand-roll the authentication for my rails app and wonder what are some gotchas I should know about? I have read the rails security guide/owasp and skimmed through the Sorcery codebase. I will be using the builtin has_secure_password and has_secure_token

I am aware of the session fixation attacks, so in order to prevent them, I reset the session every time user logs in. Also, password reset tokens have very short expiry time and can be used only once (tokens aren't hashed though, see: https://news.ycombinator.com/item?id=5033266). I have also read about timing attacks, but not sure whether it is a material thing to worry about (i.e. leaking info about the system)

Assume all usual suspects are covered: TLS, HSTS, strict CSP, CSRF tokens, samesite cookies (lax) with "__Host-" prefix + secure/httponly flag, security headers, encrypted DB at rest, password hashing with bcrypt with high number of iterations.

P.S. I know that there are several gems that provide auth functionality, but i still want to roll it myself.

--
You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To post to this group, send email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/rubyonrails-talk/85710628-c592-44cb-a251-1d919f9ddee7%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Reply | Threaded
Open this post in threaded view
|

Re: Authentication DIY

İsmail Arılık
You can get help from here:  https://www.railstutorial.org/book
In this book, the author implements authentication without using a package.

Also Devise which is the most popular authentication package for Rails recommends this way to beginners: https://github.com/plataformatec/devise#starting-with-rails (You can also get help from the links in this link.)

0x01 <[hidden email]>, 5 Nis 2019 Cum, 13:17 tarihinde şunu yazdı:
I decided to hand-roll the authentication for my rails app and wonder what are some gotchas I should know about? I have read the rails security guide/owasp and skimmed through the Sorcery codebase. I will be using the builtin has_secure_password and has_secure_token

I am aware of the session fixation attacks, so in order to prevent them, I reset the session every time user logs in. Also, password reset tokens have very short expiry time and can be used only once (tokens aren't hashed though, see: https://news.ycombinator.com/item?id=5033266). I have also read about timing attacks, but not sure whether it is a material thing to worry about (i.e. leaking info about the system)

Assume all usual suspects are covered: TLS, HSTS, strict CSP, CSRF tokens, samesite cookies (lax) with "__Host-" prefix + secure/httponly flag, security headers, encrypted DB at rest, password hashing with bcrypt with high number of iterations.

P.S. I know that there are several gems that provide auth functionality, but i still want to roll it myself.

--
You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To post to this group, send email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/rubyonrails-talk/85710628-c592-44cb-a251-1d919f9ddee7%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


--

--
You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To post to this group, send email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/rubyonrails-talk/CAGdcmE9znik8hnHhW_h9m-n1JS8FxCUiAF7L0QT4tM8_vO5Fyg%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.
Reply | Threaded
Open this post in threaded view
|

Re: Authentication DIY

0x01
Thanks for taking the time to write in!

I have already perused resources that you have linked before writing this post. I was looking for more advanced material, hence decided to write to here.

All the best!


You can get help from here:  <a href="https://www.railstutorial.org/book" target="_blank" rel="nofollow" onmousedown="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fwww.railstutorial.org%2Fbook\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNFMOu5KMbjseilVLkC9dQomQnO7Vg&#39;;return true;" onclick="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fwww.railstutorial.org%2Fbook\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNFMOu5KMbjseilVLkC9dQomQnO7Vg&#39;;return true;">https://www.railstutorial.org/book
In this book, the author implements authentication without using a package.

Also Devise which is the most popular authentication package for Rails recommends this way to beginners: <a href="https://github.com/plataformatec/devise#starting-with-rails" target="_blank" rel="nofollow" onmousedown="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fgithub.com%2Fplataformatec%2Fdevise%23starting-with-rails\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNGF_ZTUdlaDc2CnICBE94WrxLvOeg&#39;;return true;" onclick="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fgithub.com%2Fplataformatec%2Fdevise%23starting-with-rails\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNGF_ZTUdlaDc2CnICBE94WrxLvOeg&#39;;return true;">https://github.com/plataformatec/devise#starting-with-rails (You can also get help from the links in this link.)

0x01 <<a href="javascript:" target="_blank" gdf-obfuscated-mailto="pRkUiouRBQAJ" rel="nofollow" onmousedown="this.href=&#39;javascript:&#39;;return true;" onclick="this.href=&#39;javascript:&#39;;return true;">mansur.m...@...>, 5 Nis 2019 Cum, 13:17 tarihinde şunu yazdı:
I decided to hand-roll the authentication for my rails app and wonder what are some gotchas I should know about? I have read the rails security guide/owasp and skimmed through the Sorcery codebase. I will be using the builtin has_secure_password and has_secure_token

I am aware of the session fixation attacks, so in order to prevent them, I reset the session every time user logs in. Also, password reset tokens have very short expiry time and can be used only once (tokens aren't hashed though, see: <a href="https://news.ycombinator.com/item?id=5033266" target="_blank" rel="nofollow" onmousedown="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fnews.ycombinator.com%2Fitem%3Fid%3D5033266\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNG5xvD9ui0ey7IuZxN3412mWQZ8jA&#39;;return true;" onclick="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fnews.ycombinator.com%2Fitem%3Fid%3D5033266\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNG5xvD9ui0ey7IuZxN3412mWQZ8jA&#39;;return true;">https://news.ycombinator.com/item?id=5033266). I have also read about timing attacks, but not sure whether it is a material thing to worry about (i.e. leaking info about the system)

Assume all usual suspects are covered: TLS, HSTS, strict CSP, CSRF tokens, samesite cookies (lax) with "__Host-" prefix + secure/httponly flag, security headers, encrypted DB at rest, password hashing with bcrypt with high number of iterations.

P.S. I know that there are several gems that provide auth functionality, but i still want to roll it myself.

--
You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group.
To unsubscribe from this group and stop receiving emails from it, send an email to <a href="javascript:" target="_blank" gdf-obfuscated-mailto="pRkUiouRBQAJ" rel="nofollow" onmousedown="this.href=&#39;javascript:&#39;;return true;" onclick="this.href=&#39;javascript:&#39;;return true;">rubyonra...@googlegroups.com.
To post to this group, send email to <a href="javascript:" target="_blank" gdf-obfuscated-mailto="pRkUiouRBQAJ" rel="nofollow" onmousedown="this.href=&#39;javascript:&#39;;return true;" onclick="this.href=&#39;javascript:&#39;;return true;">rubyonra...@googlegroups.com.
To view this discussion on the web visit <a href="https://groups.google.com/d/msgid/rubyonrails-talk/85710628-c592-44cb-a251-1d919f9ddee7%40googlegroups.com?utm_medium=email&amp;utm_source=footer" target="_blank" rel="nofollow" onmousedown="this.href=&#39;https://groups.google.com/d/msgid/rubyonrails-talk/85710628-c592-44cb-a251-1d919f9ddee7%40googlegroups.com?utm_medium\x3demail\x26utm_source\x3dfooter&#39;;return true;" onclick="this.href=&#39;https://groups.google.com/d/msgid/rubyonrails-talk/85710628-c592-44cb-a251-1d919f9ddee7%40googlegroups.com?utm_medium\x3demail\x26utm_source\x3dfooter&#39;;return true;">https://groups.google.com/d/msgid/rubyonrails-talk/85710628-c592-44cb-a251-1d919f9ddee7%40googlegroups.com.
For more options, visit <a href="https://groups.google.com/d/optout" target="_blank" rel="nofollow" onmousedown="this.href=&#39;https://groups.google.com/d/optout&#39;;return true;" onclick="this.href=&#39;https://groups.google.com/d/optout&#39;;return true;">https://groups.google.com/d/optout.


--
 
<a href="https://about.me/arilik.ismail?promo=email_sig&amp;utm_source=email_sig&amp;utm_medium=email_sig&amp;utm_campaign=external_links" style="margin:0px;padding:0px;border:0px;outline:0px;font-weight:inherit;font-style:inherit;font-family:inherit;vertical-align:baseline;color:rgb(43,130,173);text-decoration:none;display:inline-block" target="_blank" rel="nofollow" onmousedown="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fabout.me%2Farilik.ismail%3Fpromo%3Demail_sig%26utm_source%3Demail_sig%26utm_medium%3Demail_sig%26utm_campaign%3Dexternal_links\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNFqEDKKC2D-4Zu9W96TJZSMAx6LvA&#39;;return true;" onclick="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fabout.me%2Farilik.ismail%3Fpromo%3Demail_sig%26utm_source%3Demail_sig%26utm_medium%3Demail_sig%26utm_campaign%3Dexternal_links\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNFqEDKKC2D-4Zu9W96TJZSMAx6LvA&#39;;return true;">
--
 
İsmail Arılık
https://about.me/arilik.ismail

--
You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To post to this group, send email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/rubyonrails-talk/6e26deb9-09af-4337-8b72-a46359edf291%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Reply | Threaded
Open this post in threaded view
|

Re: Authentication DIY

Fatih Orhan
Chrome does not expire cookies, ever. Even when you set correct parameters. So don't rely on the browser to invalidate cookies after browser closes or after some duration offline. We keep last request time in session data and expire sessions server side.

Users will have their password stolen. log successfull and failed logins with IP to investigate later. And be prepared to add IP white listing and 2 factor auth later.

--
You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To post to this group, send email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/rubyonrails-talk/5869949c-5396-4c27-9501-44688df3d048%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.