web-security

jumar 2024-08-30T13:39:55.780499Z

We are using the ring-session middleware with https://github.com/clj-commons/friend and it mostly works fine. However, one thing it doesn't do is to regenerate the session when users log in. This is a common advice in order to prevent session fixation attacks. Is anybody doing that (using Friend or other tools)? If so, how?

mloughlin 2025-01-17T15:51:05.643759Z

https://github.com/ring-clojure/ring/wiki/Sessions > If you simply want to recreate the session, due to a privilege escalation for example, add the :recreate key to the session metadata. This will cause the session identifier that is sent to the browser to change.

(defn handler [request]
  (-> (response "Session identifier recreated")
      (assoc :session (vary-meta (:session request) assoc :recreate true))))

mloughlin 2025-01-17T15:55:26.603099Z

It comes down to using ring.middleware.session/wrap-session: https://github.com/ring-clojure/ring/blob/f7dfe7c9b98c335e4573e61d94c523d5df9a6667/ring-core/src/ring/middleware/session.clj#L44 adding the meta k/v [:recreate true] causes the session store to delete the old and make a new one

Eugen 2025-01-05T18:52:36.497459Z

thanks

Eugen 2025-01-04T19:56:50.578379Z

do you remember why you chose friend over buddy or other auth solutions?

jumar 2025-01-05T04:52:26.268599Z

I wasn’t there then but I think it was kinda arbitrary- those we simply the libraries available at that time