Ruby on Rails | Screencasts | Download | Documentation | Weblog | Community | Source

Ticket #9930 (closed defect: incomplete)

Opened 1 year ago

Last modified 1 year ago

[PATCH] Session fixation attempts are not catched when using the default session_key

Reported by: theflow Assigned to: core
Priority: normal Milestone:
Component: ActionPack Version: edge
Severity: normal Keywords:
Cc:

Description

In [7720] session fixations attempts where prevented by throwing an error if the session_id parameter is part of the request. Currently this does not work if the application uses the default session key.

This patch fixes that by defining the default session_key (coming from Ruby's CGI) in the DEFAULT_SESSION_OPTIONS hash.

As there are no tests for this tried to add some but couldn't figure out a way to test the real CgiRequest.

Attachments

catches_session_fixation_with_default_session_key.patch (0.6 kB) - added by theflow on 10/19/07 10:27:42.

Change History

10/19/07 10:27:42 changed by theflow

  • attachment catches_session_fixation_with_default_session_key.patch added.

10/31/07 17:28:28 changed by lifofifo

  • status changed from new to closed.
  • resolution set to incomplete.
  • milestone deleted.

Nice catch. Please include a failing test case and reopen the ticket. You can read the patch related document here.

11/12/07 09:55:05 changed by theflow

while trying to write tests for this I've found some other issues. Please have a look at #10048