Hi Brendan,
This sort of work is very much appreciated, but since this involves
security, I hope you won't mind if I make a few criticisms.
When dealing with security, it's extremely important that you don't
re-implement existing functionality without good reason. A large part of
avoiding security flaws is minimising the surface area of code exposed to
attackers.
In your library, you re-implement a lot of the functionality that already
exists in the standard Ring session middleware. There's no reason for this.
You could implement all the functionality in :auth-session as middleware
that sits on top of the standard Ring middleware.
You have a :csrf-token option for wrap-auth-session, but you do nothing
with it. Hopefully you won't implement your own anti-CSRF middleware, but
instead use the standard ring-anti-forgery library.
A lot of the functionality of your code could be boiled down to:
(defn wrap-secure-sessions [handler]
(fn [request]
(if (and (:session request) (insecure-session? request))
(-> request request-url redirect (assoc :session nil))
(handler response))))
Where the "insecure-session?" function makes a decision as to whether the
session is too old, or has been accessed over HTTP rather than HTTPS.
However, all this is a moot point, as there are better ways of achieving
the same functionality.
The session store itself should be expiring sessions, rather than the
session middleware, as the middleware can only expire sessions it's
currently being accessed by. If you rely on middleware to expire sessions
as they come in, you'll build up a backlog of sessions from visitors who
will never return to your site.
For HTTPS sessions, the "Secure" flag should be set on the session cookies,
which means that the browser will never send the cookie over HTTP,
therefore making it unnecessary to delete sessions over insecure
connections. Ideally you want both :secure and :http-only to ensure that
the cookie is only delivered to your server over a secure connection.
- James
On 17 May 2014 17:18, Brendan Younger <brendan.youn...@gmail.com> wrote:
> Hi all,
>
> In light of Aaron Bedra's
> talk<https://www.youtube.com/watch?v=CBL59w7fXw4&list=PLZdCLR02grLp__wRg5OTavVj4wefg69hM&index=6>at
> Clojure/West this past March on the (lack of) security in Clojure
> webapps, I've written a small, easy-to-understand middleware for keeping
> your authenticated session secure.
>
> Ring-auth aims to implement all the recommendations from OWASP about
> secure session storage while at the same time not putting undue constraints
> on how you architect your app. Just place authentication information in an
> :auth-session key in your ring responses and you're all set.
>
> Check it out at: https://github.com/brendanyounger/ring-auth
>
> Brendan Younger
>
>
> --
> You received this message because you are subscribed to the Google
> Groups "Clojure" group.
> To post to this group, send email to clojure@googlegroups.com
> Note that posts from new members are moderated - please be patient with
> your first post.
> To unsubscribe from this group, send email to
> clojure+unsubscr...@googlegroups.com
> For more options, visit this group at
> http://groups.google.com/group/clojure?hl=en
> ---
> You received this message because you are subscribed to the Google Groups
> "Clojure" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to clojure+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
>
--
You received this message because you are subscribed to the Google
Groups "Clojure" group.
To post to this group, send email to clojure@googlegroups.com
Note that posts from new members are moderated - please be patient with your
first post.
To unsubscribe from this group, send email to
clojure+unsubscr...@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/clojure?hl=en
---
You received this message because you are subscribed to the Google Groups
"Clojure" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to clojure+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
