Use Gitlab::Json to serialize sessions (!72701) · Merge requests · GitLab.org / GitLab

Alex Kalderimis requested to merge ajk-30516-change-session-serialization into master Oct 20, 2021

What does this MR do and why?

This changes session serialization to use JSON instead of the less secure Marshal API.

Since we have full control of the data we serialize, there is no open vulnerability, and this change has been approved by appsec to be made in the canonical repo (see: gitlab-org/security/gitlab!1718).

Follow up work will migrate old sessions, and remove the then redundant old code.

See: #30516

How to set up and validate locally

New sessions should continue to work, as well as existing sessions.

I tested this again by:

running the app on master
logging in
switching the branch to this one
reloading

The user should continue to be logged in.

The reverse order (log in on this branch, switch to master, reload) should also work.

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

I have evaluated the MR acceptance checklist for this MR.

Edited Dec 10, 2021 by Alex Kalderimis

Use Gitlab::Json to serialize sessions

What does this MR do and why?

How to set up and validate locally

MR acceptance checklist

Merge request reports