Ruby on Rails | Screencasts | Download | Documentation | Weblog | Community | Source

Ticket #7952 (closed defect: fixed)

Opened 3 years ago

Last modified 2 years ago

[PATCH] Remove parameter-passed session IDs

Reported by: bradediger Assigned to: core
Priority: normal Milestone: 1.x
Component: ActiveRecord Version: edge
Severity: normal Keywords:
Cc:

Description

CGI::Session by default looks in the request parameters first for a session ID; it checks the cookie only if the parameters don't specify one. This is not desirable for Rails; most users do not use request-parameter-based sessions, and there is no best practice for doing so in Rails. This also opens Rails up to potential session fixation.

In the absence of a CGI::Session patch, I am attaching a patch that (by default) raises an error if a session ID is included in the request parameters. This behavior can be turned off (and thus reverted to the previous state) with the session option :cookie_session_id_only => false.

Attachments

session_fixation_fix.diff (3.1 kB) - added by bradediger on 09/28/07 22:25:56.

Change History

03/31/07 21:29:55 changed by bradediger

  • summary changed from Remove parameter-passed session IDs to [PATCH] Remove parameter-passed session IDs.

09/28/07 22:25:56 changed by bradediger

  • attachment session_fixation_fix.diff added.

10/02/07 05:51:55 changed by nzkoz

  • status changed from new to closed.
  • resolution set to fixed.

(In [7720]) Disable non-cookie sessions to prevent Session Fixation Attacks. Closes #7952 [bradediger]