Ruby on Rails | Screencasts | Download | Documentation | Weblog | Community | Source

Changeset 7722

Show
Ignore:
Timestamp:
10/02/07 05:58:16 (1 year ago)
Author:
nzkoz
Message:

Merge session fixation fixes from stable

Files:

Legend:

Unmodified
Added
Removed
Modified
Copied
Moved

  • trunk/actionpack/CHANGELOG

    r7701 r7722  
     1*SVN* 
     2 
     3* Only accept session ids from cookies, prevents session fixation attacks.  [bradediger]  
     4 
    15*2.0.0 [Preview Release]* (September 29th, 2007) [Includes duplicates of changes from 1.12.2 - 1.13.3] 
    26 

  • trunk/actionpack/lib/action_controller/cgi_process.rb

    r7719 r7722  
    1111    #   lib/action_controller/session. 
    1212    # * <tt>:session_key</tt> - the parameter name used for the session id. Defaults to '_session_id'. 
    13     # * <tt>:session_id</tt> - the session id to use.  If not provided, then it is retrieved from the +session_key+ parameter 
    14     #   of the request, or automatically generated for a new session. 
     13    # * <tt>:session_id</tt> - the session id to use.  If not provided, then it is retrieved from the +session_key+ cookie, or  
     14    #   automatically generated for a new session. 
    1515    # * <tt>:new_session</tt> - if true, force creation of a new session.  If not set, a new session is only created if none currently 
    1616    #   exists.  If false, a new session is never created, and if none currently exists and the +session_id+ option is not set, 
     
    2222    # * <tt>:session_secure</tt> - if +true+, this session will only work over HTTPS. 
    2323    # * <tt>:session_path</tt> - the path for which this session applies.  Defaults to the directory of the CGI script. 
     24    # * <tt>:cookie_only</tt> - if +true+ (the default), session IDs will only be accepted from cookies and not from 
     25    #   the query string or POST parameters. This protects against session fixation attacks. 
    2426    def self.process_cgi(cgi = CGI.new, session_options = {}) 
    2527      new.process_cgi(cgi, session_options) 
     
    3234 
    3335  class CgiRequest < AbstractRequest #:nodoc: 
    34     attr_accessor :cgi, :session_options 
     36    attr_accessor :cgi, :session_options, :cookie_only 
     37    class SessionFixationAttempt < StandardError; end #:nodoc: 
    3538 
    3639    DEFAULT_SESSION_OPTIONS = { 
    3740      :database_manager => CGI::Session::CookieStore, # store data in cookie 
    3841      :prefix           => "ruby_sess.",    # prefix session file names 
    39       :session_path     => "/"              # available to all paths in app 
     42      :session_path     => "/",             # available to all paths in app 
     43      :cookie_only      => true 
    4044    } unless const_defined?(:DEFAULT_SESSION_OPTIONS) 
    4145 
     
    4448      @session_options = session_options 
    4549      @env = @cgi.send!(:env_table) 
     50      @cookie_only = session_options.delete :cookie_only 
    4651      super() 
    4752    end 
     
    110115        else 
    111116          stale_session_check! do 
     117            if @cookie_only && request_parameters[session_options_with_string_keys['session_key']] 
     118              raise SessionFixationAttempt 
     119            end 
    112120            case value = session_options_with_string_keys['new_session'] 
    113121              when true