Release 2.2.5

Update CHANGELOG
Protect against CSRF token fixation attacks
2026-01-09 23:58:06 -05:00 · 2013-08-02 23:24:17 +02:00 · 2013-08-02 23:22:39 +02:00 · 2013-08-02 23:16:32 +02:00
7 changed files with 36 additions and 1 deletions
--- a/CHANGELOG.rdoc
+++ b/CHANGELOG.rdoc
@@ -1,3 +1,8 @@
+== 2.2.5
+
+* bug fix
+  * Clean up CSRF token after authentication (by @homakov). Notice this change will clean up the CSRF Token after authentication (sign in, sign up, etc). So if you are using AJAX for such features, you will need to fetch a new CSRF token from the server.
+
 == 2.2.4

 * enhancements
--- a/lib/devise.rb
+++ b/lib/devise.rb
@@ -221,6 +221,10 @@ module Devise
  mattr_accessor :omniauth_path_prefix
  @@omniauth_path_prefix = nil

+  # Set if we should clean up the CSRF Token on authentication
+  mattr_accessor :clean_up_csrf_token_on_authentication
+  @@clean_up_csrf_token_on_authentication = true
+
  def self.encryptor=(value)
    warn "\n[DEVISE] To select a encryption which isn't bcrypt, you should use devise-encryptable gem.\n"
  end
--- a/lib/devise/hooks/csrf_cleaner.rb
+++ b/lib/devise/hooks/csrf_cleaner.rb
@@ -0,0 +1,5 @@
+Warden::Manager.after_authentication do |record, warden, options|
+  if Devise.clean_up_csrf_token_on_authentication
+    warden.request.session.try(:delete, :_csrf_token)
+  end
+end
--- a/lib/devise/models/authenticatable.rb
+++ b/lib/devise/models/authenticatable.rb
@@ -1,4 +1,5 @@
 require 'devise/hooks/activatable'
+require 'devise/hooks/csrf_cleaner'

 module Devise
  module Models
--- a/lib/devise/version.rb
+++ b/lib/devise/version.rb
@@ -1,3 +1,3 @@
 module Devise
-  VERSION = "2.2.4".freeze
+  VERSION = "2.2.5".freeze
 end
--- a/lib/generators/templates/devise.rb
+++ b/lib/generators/templates/devise.rb
@@ -76,6 +76,12 @@ Devise.setup do |config|
  # passing :skip => :sessions to `devise_for` in your config/routes.rb
  config.skip_session_storage = [:http_auth]

+  # By default, Devise cleans up the CSRF token on authentication to
+  # avoid CSRF token fixation attacks. This means that, when using AJAX
+  # requests for sign in and sign up, you need to get a new CSRF token
+  # from the server. You can disable this option at your own risk.
+  # config.clean_up_csrf_token_on_authentication = true
+
  # ==> Configuration for :database_authenticatable
  # For bcrypt, this is the cost for hashing the password and defaults to 10. If
  # using other encryptors, it sets how many times you want the password re-encrypted.
--- a/test/integration/authenticatable_test.rb
+++ b/test/integration/authenticatable_test.rb
@@ -327,6 +327,20 @@ class AuthenticationSessionTest < ActionDispatch::IntegrationTest
    assert_redirected_to new_user_session_path
  end

+  test 'refreshes _csrf_token' do
+    ApplicationController.allow_forgery_protection = true
+
+    begin
+      get new_user_session_path
+      token = request.session[:_csrf_token]
+
+      sign_in_as_user
+      assert_not_equal request.session[:_csrf_token], token
+    ensure
+      ApplicationController.allow_forgery_protection = false
+    end
+  end
+
  test 'allows session to be set for a given scope' do
    sign_in_as_user
    get '/users'
Author	SHA1	Message	Date
José Valim	373fd03ebc	Release 2.2.5	2013-08-02 23:24:17 +02:00
José Valim	b3eace20c7	Update CHANGELOG	2013-08-02 23:22:39 +02:00
José Valim	415fa2ad21	Protect against CSRF token fixation attacks	2013-08-02 23:16:32 +02:00