Ruby on Rails | Screencasts | Download | Documentation | Weblog | Community | Source

Changeset 7720

Show
Ignore:
Timestamp:
10/02/07 05:51:51 (1 year ago)
Author:
nzkoz
Message:

Disable non-cookie sessions to prevent Session Fixation Attacks. Closes #7952 [bradediger]

Files:

Legend:

Unmodified
Added
Removed
Modified
Copied
Moved

  • branches/1-2-stable/actionpack/lib/action_controller/cgi_process.rb

    r6432 r7720  
    1414    #   lib/action_controller/session. 
    1515    # * <tt>:session_key</tt> - the parameter name used for the session id. Defaults to '_session_id'. 
    16     # * <tt>:session_id</tt> - the session id to use.  If not provided, then it is retrieved from the +session_key+ parameter 
    17     #   of the request, or automatically generated for a new session. 
     16    # * <tt>:session_id</tt> - the session id to use.  If not provided, then it is retrieved from the +session_key+ cookie, or  
     17    #   automatically generated for a new session. 
    1818    # * <tt>:new_session</tt> - if true, force creation of a new session.  If not set, a new session is only created if none currently 
    1919    #   exists.  If false, a new session is never created, and if none currently exists and the +session_id+ option is not set, 
     
    2525    # * <tt>:session_secure</tt> - if +true+, this session will only work over HTTPS. 
    2626    # * <tt>:session_path</tt> - the path for which this session applies.  Defaults to the directory of the CGI script. 
     27    # * <tt>:cookie_only</tt> - if +true+ (the default), session IDs will only be accepted from cookies and not from 
     28    #   the query string or POST parameters. This protects against session fixation attacks. 
    2729    def self.process_cgi(cgi = CGI.new, session_options = {}) 
    2830      new.process_cgi(cgi, session_options) 
     
    3537 
    3638  class CgiRequest < AbstractRequest #:nodoc: 
    37     attr_accessor :cgi, :session_options 
     39    attr_accessor :cgi, :session_options, :cookie_only 
     40    class SessionFixationAttempt < StandardError; end #:nodoc: 
    3841 
    3942    DEFAULT_SESSION_OPTIONS = { 
    4043      :database_manager => CGI::Session::PStore, 
    4144      :prefix           => "ruby_sess.", 
    42       :session_path     => "/" 
     45      :session_path     => "/", 
     46      :cookie_only      => true 
    4347    } unless const_defined?(:DEFAULT_SESSION_OPTIONS) 
    4448 
     
    4751      @session_options = session_options 
    4852      @env = @cgi.send(:env_table) 
     53      @cookie_only = session_options.delete :cookie_only 
    4954      super() 
    5055    end 
     
    110115        else 
    111116          stale_session_check! do 
     117            if @cookie_only && request_parameters[session_options_with_string_keys['session_key']] 
     118              raise SessionFixationAttempt 
     119            end 
    112120            case value = session_options_with_string_keys['new_session'] 
    113121              when true