canvas-lms/config/session_store.yml.example

Ignoring revisions in .git-blame-ignore-revs. Click here to bypass and see the normal blame view.

21 lines
545 B
Plaintext
Raw Normal View History

development:
session_store: encrypted_cookie_store
expire_after: 86400 # 1 day in seconds
Use same_site none for session store for relative file links fixes LA-637 flag=none Test plan - Verify that as long as you don't have a separate files domain, you can't reproduce this issue in dev (should just work out of the box) - Install puma-dev from github.com/puma/puma-dev - Follow the Set up instructions, but configure at least 1 extra domain (.test and something else with the -d switch, it looks like `puma-dev -install -d test:files`) - Make sure to get the symlink set up - Add `export THREADS=1` to ~/.powconfig - In Canvas, in domain.yml under development, add a files_domain that has the same app name, but a different domain (ie I set up my domain as canvas-lms.test and my files domain as canvas-lms.files), if you switch back to not using puma-dev, you will need to change these back to what they were - Also add ssl: true - In session_store.yml under development, add secure: true - To start, set up puma-dev in launchctl `launchctl load ~/Library/LaunchAgents/io.puma.dev.plist` - To view the server logs, use `less -R log/development.log` and then F - To have Chrome accept the certificates, open your Keychain Access (on MacOS) and move the Puma-dev CA to System - Create an HTML file that has a link like 'other_file.jpg' and upload both files to a Canvas course in the same folder - In Chrome, turn on the flags for same site by default cookies and cookies without samesite must be secure - Open the file and ensure that it is showing the linked file, and that it is serving it from another domain - Get an old version of Safari somehow (XCode or otherwise) (version on iOS 12 will do it) and verify you can still log in to Canvas Change-Id: I84e62cc16e3730ffb6bc2d4d7de9b772eedf260e Reviewed-on: https://gerrit.instructure.com/c/canvas-lms/+/227939 Tested-by: Service Cloud Jenkins <svc.cloudjenkins@instructure.com> Reviewed-by: Jeremy Stanley <jeremy@instructure.com> QA-Review: Jeremy Stanley <jeremy@instructure.com> Product-Review: Mysti Lilla <mysti@instructure.com>
2020-02-25 04:52:55 +08:00
# secure: true
production:
session_store: encrypted_cookie_store
expire_after: 86400 # 1 day in seconds
# uncomment this option if your canvas install is over HTTPS, and the cookies
# will be SSL-only
#
# secure: true
#
make "stay logged in" use a one-time token closes #6382 Previously, the "stay logged in" cookie just used the authlogic default implementation, which is the pseudonym persistence_token. This is a problem, because that persistence_token only ever changes when the pseudonym password changes, so it's the same everywhere; so if that cookie is stolen, it's valid for a very long time. This switches us to one-time-use tokens that expire as soon as the token logs the user in once. Each user agent also gets a different one-time-use token. Change-Id: I4f20cd7759fd74590e82ed55797552e342243d49 testplan: * Check that no token is set at all when "stay logged in" isn't selected. * Check "stay logged in", and verify: * That you don't have to login again after restarting your browser, but your _normandy_session got reset. * That if you save and try to replay using the same pseudonym_credentials, they don't work the second time. * That a second browser will get a different pseudonym_credentials value, and using one token doesn't affect the other. * That once the token is used, a new one is generated and set in your cookies. Verify this new token works as well. * That logging out removes the pseudonym_credentials cookie in your browser. And also that manually restoring this cookie still doesn't log you in, since it was removed server-side as well. * Change your password, and verify that the existing "stay logged in" tokens no longer work. * Delete your pseudonym, and verify the same. Reviewed-on: https://gerrit.instructure.com/7093 Tested-by: Hudson <hudson@instructure.com> Reviewed-by: Cody Cutrer <cody@instructure.com> Reviewed-by: Zach Wily <zach@instructure.com>
2011-11-22 05:20:48 +08:00
# change the time that "stay logged in" tokens are valid for, defaults to 1 month
#
# expire_remember_me_after: 2592000
test:
session_store: encrypted_cookie_store
expire_after: 86400 # 1 day in seconds