Conversation
Previously, live_session's had a version field that was generated randomly whenever the router was compiled. We checked the version field on live_redirects and enforce a full redirect (as when a user navigates, that is a good point in time to force a full navigation, right?). It turns out that live navigation on the client is actually implemented in a way that every reconnect after the first live navigation is also treated as a navigation. Therefore, after a deployment that changed the router, LiveViews that were mounted through a live navigation were never remounted, but always fully reloaded, losing any state and preventing form recovery from working. As the security mechanism of live_session is primarily based on the live_session name, checking the name is generally enough. There could be a case where previously a live_session called `:admin` was defined where a user had access to and after deployment, those routes were instead moved to a `:semiadmin` live session and now super sensitive routes are accessible in the `:admin` live session. In this case, a user could try to mount a route from this super sensitive section, but even then, those routes SHOULD be protected by on_mount hooks that run and properly check authorization, e.g. based on the user_id in the session. So to sum this up, the version field of the live session is not needed, causes problems at the moment and is therefore removed.
josevalim
approved these changes
Mar 19, 2025
SteffenDE
added a commit
that referenced
this pull request
Mar 20, 2025
Previously, live_session's had a version field that was generated randomly whenever the router was compiled. We checked the version field on live_redirects and enforce a full redirect (as when a user navigates, that is a good point in time to force a full navigation, right?). It turns out that live navigation on the client is actually implemented in a way that every reconnect after the first live navigation is also treated as a navigation. Therefore, after a deployment that changed the router, LiveViews that were mounted through a live navigation were never remounted, but always fully reloaded, losing any state and preventing form recovery from working. As the security mechanism of live_session is primarily based on the live_session name, checking the name is generally enough. There could be a case where previously a live_session called `:admin` was defined where a user had access to and after deployment, those routes were instead moved to a `:semiadmin` live session and now super sensitive routes are accessible in the `:admin` live session. In this case, a user could try to mount a route from this super sensitive section, but even then, those routes SHOULD be protected by on_mount hooks that run and properly check authorization, e.g. based on the user_id in the session. So to sum this up, the version field of the live session is not needed, causes problems at the moment and is therefore removed.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Previously,
live_sessions had a version field that was generated randomly whenever the router was compiled. We checked the version field on live_redirects and enforce a full redirect (as when a user navigates, that is a good point in time to force a full navigation, right?).It turns out that live navigation on the client is actually implemented in a way that every reconnect after the first live navigation is also treated as a navigation. Therefore, after a deployment that changed the router, LiveViews that were mounted through a live navigation were never remounted, but always fully reloaded, losing any state and preventing form recovery from working.
As the security mechanism of live_session is primarily based on the live_session name, checking the name is generally enough. There could be a case where previously a live_session called
:adminwas defined where a user had access to and after deployment, those routes were instead moved to a:semiadminlive session and now super sensitive routes are accessible in the:adminlive session. In this case, a user could try to mount a route from this super sensitive section, but even then, those routes SHOULD be protected by on_mount hooks that run and properly check authorization, e.g. based on the user_id in the session.So to sum this up, the version field of the live session is not needed, causes problems at the moment and is therefore removed.