Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

create_with_otp destroys existing session #39

Closed
borgand opened this issue Oct 25, 2016 · 6 comments
Closed

create_with_otp destroys existing session #39

borgand opened this issue Oct 25, 2016 · 6 comments

Comments

@borgand
Copy link

borgand commented Oct 25, 2016

The DeviseOtpAuthenticatable::Hooks::Sessions#create_with_otp method destroys previous data in warden.session when OTP challenge is required. See sessions.rb:23

This conflicts with many important features of Devise and related plugins, such as:

  • return_to functionality is ignored - user is redirected to root URL instead of requested resource when authentication is complete
  • password_expired information is lost in the Devise Security Extensions plugin, meaning that the users are not required to change their passwords, regardless that they are actually expired.
  • probably many other features too, that I did not test yet.

I tried to tweak the code to get around this, but failed as I'm not familiar with the concepts of Devise-OTP.

Can the Devise-OTP functionality be altered so that previous session information is persisted? This seems reasonable, taking into account that OTP most often is used together with another authentication mechanism to form 2FA and that other mechanism can expect session to persist once created.
@strzibny
Copy link
Collaborator

@borgand is this still relevant? what would be the acceptable behaviour?

@borgand
Copy link
Author

borgand commented Mar 24, 2022
edited
Loading

Hi!
We are migrating away from this gem due to this, so this is so relevant, but probably we complete migration before any fixes.

Two main aspects:

  • UX: any user using either a direct link or working on a page when session express will be redirected to root page, loosing context and needing to navigate again.
  • Security: allowing to continue login with expired password is a potential vulnerability.

Therefore I still suggest this to be fixed.

Acceptable behaviour would be that the session data is persisted during an OTP challenge.

😄

@strzibny
Copy link
Collaborator

Thanks for a quick reply. I'll look into it.

@strzibny
Copy link
Collaborator

Btw this commit probably fixed the location at least (but I understand there are other possible issues) 7c2fbe9

@strzibny
Copy link
Collaborator

Security: allowing to continue login with expired password is a potential vulnerability.

Do I understand it correctly that this is only due to use of Devise Security Extensions plugin? Like due to logging out this is not compatible?

@strouptl
Copy link
Collaborator

@strzibny, I have a solution for this issue in PR #80.

@strzibny strzibny closed this as completed Jun 9, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@borgand @strzibny @strouptl