codedecoder

breaking into the unknown…


2 Comments

clear session or cookie on browser close

The session and cookie automatically get cleared when a user logout. But there is possibility that user close the browser without loging out . So for security reasons here, you want to clear all session data when user close the Browser . I will explian it in terms of ruby, but the basic flow remain same for any language.

STEP 1 : catch the browser close event.

I am using jQuery, but find that unload function is not working for me .The browser get closed without firing my alert. After googling for some time I find the alternative in onbeforeunload .

<script type=”text/javascript”>

window.onbeforeunload = function (){

alert(“I will do cleanup here”)

return “any string or keep it empty string”

};

</script>

so, the alert appear before the browser get closed, showing that the callback is getting fired. We will write our clean up code in its place. The return statement will trigger popup asking the user to leave the page or stay on the page. If you do not want this behaviour don’t use the return statement.

keep the script on the page you want to do cleanup, when user close the browser. If you want it for all the pages put it in your common Layout page.

STEP 2 : make a ajax call to your controller which will clear the session

<script type=”text/javascript”>

window.onbeforeunload = function (){

$.ajax({

url: “<%=session_clear_url%>”,

type: “POST”,

data: {},

contentType: “application/json; charset=utf-8”,

dataType: “json”

});

};

</script>

The URL should be of your action where you clear the session. In my case the path session_clear_url is actually a ruby syntax it is defined in Routes as below:

match 'clearSession' => 'loans#session_clear', :as => :session_clear

So,  It will go to session_clear action of the loan controller.

STEP 3: writing the cleanup code in the controller action

  def session_clear
    session[:EsignDisclosureAccepted] = nil
    session[:AccountNo] = nil
    render :text => "session cleared"
  end

So you can see that I have set EsignDisclosureAccepted and AccountNo data in session to null, which is equivalent to deleting it. You can do any other cleanup here as provided by language you are using.

Advertisements


Leave a comment

Upgrading ruby version with RVM

One of my application is running on Heroku. Recently I got a email from Heroku explaining possible threat in existing ruby versions. It says –

You are receiving this email because you run at least one Ruby (MRI) application on Heroku.
Early this morning, the Ruby project announced a security vulnerability in MRI 1.8.7, 1.9.2, 1.9.3, 2.0.0. The CVE identifier is CVE-2013-4164. Rubinius and JRuby are unaffected.
We believe this is limited to a denial of service vulnerability. Any Ruby application that parses JSON from an untrusted source can potentially be made to crash with little difficulty. There is also a slim theoretical possibility of a much more serious vulnerability, an Arbitrary Code Execution. We would like to stress that there are no known Proofs of Concept and this is purely theoretical, but can not be ruled out.
In response, we have released Ruby 1.8.7p375, 1.9.2p321, 1.9.3p484 and 2.0.0p353 which closes this attack vulnerability. Please upgrade as soon as possible .

Upgrade on Heroku will take place automatically when you deploy any changes to it. To see what version Heroku using for your application run below command

$ heroku run “ruby -v” -a APPNAME # it will show the current ruby

To upgrade ruby version on heroku, just make an empty commit , so that Heroku trigger new deploy and will update the version itself.

$ git commit –allow-empty -m “upgrade ruby version”
$ git push heroku master

Anyway, our main goal here is to ruby upgrade on  other server or local machine which is using RVM. You can do it with below simple steps.

STEP 1 : check the current ruby used by your machine

$ ruby -v
ruby 1.9.3p125 (2012-02-16 revision 34643) [x86_64-linux]

O.K show we are using 1.9.3p125 i,e patch 125 version of ruby, which is vulnerable to threat as per the above finding in the email. We need to upgrade it to patch 484 which have the security fix.

STEP 2: check current ruby versions supported by your RVM

$rvm list known
# MRI Rubies
[ruby-]1.8.7[-p358]
[ruby-]1.8.7-head
[ruby-]1.9.1[-p431]
[ruby-]1.9.2-p290
[ruby-]1.9.3[-p125]
[ruby-]1.9.3-head
ruby-head

O.K, so it do not show patch 484, so you need to upgrade your RVM first

STEP 3: Upgrading RVM to current stable version

$ rvm get stable

STEP 4: Again check current ruby versions supported by your RVM

$rvm list known
# MRI Rubies
[ruby-]1.8.7[-p358]
[ruby-]1.8.7-head
[ruby-]1.9.1[-p431]
[ruby-]1.9.2-p290
[ruby-]1.9.3[-p125]
[ruby-]1.9.3-head
[ruby-]1.9.3[-p484]
ruby-head

So now, our RVM have the currently released patches for all the versions

STEP 5 : Upgrading the ruby version

$ rvm upgrade 1.9.2-p125 1.9.3-p484 # it will upgrade the current  version 1.9.2-p125 to 1.9.3-p484, infact you can upgrade it to any version
Are you sure you wish to upgrade from ruby-1.9.3-p125 to ruby-1.9.3-p484? (Y/n):  # press Y
.
.
.
.
.

Are you sure you wish to MOVE gems from ruby-1.9.3-p125 to ruby-1.9.3-p484?
This will overwrite existing gems in ruby-1.9.3-p484 and remove them from ruby-1.9.3-p125 (Y/n): y #press Y
Moving gemsets…
Moving ruby-1.9.3-p125 to ruby-1.9.3-p484
Making gemset ruby-1.9.3-p484 pristine….

take 10 to 15 minute depending on your connection

NOTE :

=> keep pressing Y, when ever it ask you. press n only if you want to configure something yourself. But I suggest to go with the default as it work smoothly for me

=> If you have installed passenger on server with passenger gem, you need to reinstall it, as your gemset location has changed from ruby-1.9.3-p125 to ruby-1.9.3-p484

 

REFERENCE :

http://rvm.io/rubies/upgrading