mailing list archives
Re: [Ruby on Rails] Move away from CookieStore if you care about your users and their security. Here is a technical explanation why.
From: joernchen <joernchen () phenoelit de>
Date: Wed, 25 Sep 2013 11:50:37 +0200
On Tue, Sep 24, 2013 at 09:30:58PM -0400, G. S. McNamara wrote:
Ruby on Rails Web applications versions 2.0 through 4.0 are by default
vulnerable to an oft-overlooked Web application security issue: Session
cookies are valid for life.* A malicious user could use the stolen cookie
from any authenticated request by the user to log in as them at any point
in the future.
There are other fun things which might happen, imagine App_A and App_B
which share the same codebase (let's just imagine two instances of a
some kind of appliance with a RoR Web frontend). If the vendor has not
taken care to generate a unique cookie-signing secret for each appliance
you could just log into your appliance (App_A) and reuse the token on
App_B yielding a session with the same userId on App_B.
This however relies on a mechanism like "authenticated_system" which
just puts your userId in the session cookie.
joernchen ~ Phenoelit
<joernchen () phenoelit de> ~ C776 3F67 7B95 03BF 5344
http://www.phenoelit.de ~ A46A 7199 8B7B 756A F5AC
Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia - http://secunia.com/