Commit 6c773706b44c4fe584e4e1ff563e789231df76c4 to rails's rails

6c77370
all branches
all tags
- v2.1.0_RC1
- v2.1.0
- v2.0.3
- v2.0.2
- v2.0.1
- v2.0.0_RC2
- v2.0.0_RC1
- v2.0.0_PR
- v2.0.0
- v1.2.6
- v1.2.5
- v1.2.4
- v1.2.3
- v1.2.2
- v1.2.1
- v1.2.0_RC2
- v1.2.0_RC1
- v1.2.0
- v1.1.6
- v1.1.5
- v1.1.4
- v1.1.3
- v1.1.2
- v1.1.1
- v1.1.0_RC1
- v1.1.0
- v1.0.0
- v0.9.5
- v0.9.4.1
- v0.9.4
- v0.9.3
- v0.9.2
- v0.9.1
- v0.14.4
- v0.14.3
- v0.14.2
- v0.14.1
- v0.13.1
- v0.13.0
- v0.12.0
- v0.11.1
- v0.11.0
- v0.10.1
- v0.10.0
comments

rails / rails

Description:	Ruby on Rails
Homepage:	http://rubyonrails.org
Clone URL:	git://github.com/rails/rails.git Give this clone URL to anyone. `git clone git://github.com/rails/rails.git`
Search Repo:

Disable non-cookie sessions to prevent Session Fixation Attacks.  Closes 
#7952 [bradediger]


git-svn-id: 
http://svn-commit.rubyonrails.org/rails/branches/1-2-stable@7720 
5ecf4fe2-1ee6-0310-87b1-e25e094e27de

NZKoz (author)

Mon Oct 01 22:51:51 -0700 2007

commit 6c773706b44c4fe584e4e1ff563e789231df76c4
tree a634a95dea32b27367ad2f011c026d3eca9f8a76
parent 779db44f74066a4794d0ea83c1f87cb2e3e80cb1

actionpack/lib/action_controller/cgi_process.rb

actionpack/lib/action_controller/cgi_process.rb

0
@@ -13,8 +13,8 @@
0
     #   (default). Additionally, there is CGI::Session::DRbStore and CGI::Session::ActiveRecordStore. Read more about these in
0
     #   lib/action_controller/session.
0
     # * <tt>:session_key</tt> - the parameter name used for the session id. Defaults to '_session_id'.
0
-    # * <tt>:session_id</tt> - the session id to use.  If not provided, then it is retrieved from the +session_key+ parameter
0
-    #   of the request, or automatically generated for a new session.
0
+    # * <tt>:session_id</tt> - the session id to use.  If not provided, then it is retrieved from the +session_key+ cookie, or 
0
+    #   automatically generated for a new session.
0
     # * <tt>:new_session</tt> - if true, force creation of a new session.  If not set, a new session is only created if none currently
0
     #   exists.  If false, a new session is never created, and if none currently exists and the +session_id+ option is not set,
0
     #   an ArgumentError is raised.
0
@@ -24,6 +24,8 @@
0
     #   server.
0
     # * <tt>:session_secure</tt> - if +true+, this session will only work over HTTPS.
0
     # * <tt>:session_path</tt> - the path for which this session applies.  Defaults to the directory of the CGI script.
0
+    # * <tt>:cookie_only</tt> - if +true+ (the default), session IDs will only be accepted from cookies and not from
0
+    #   the query string or POST parameters. This protects against session fixation attacks.
0
     def self.process_cgi(cgi = CGI.new, session_options = {})
0
       new.process_cgi(cgi, session_options)
0
     end
0
0
0
@@ -34,18 +36,21 @@
0
   end
0
 
0
   class CgiRequest < AbstractRequest #:nodoc:
0
-    attr_accessor :cgi, :session_options
0
+    attr_accessor :cgi, :session_options, :cookie_only
0
+    class SessionFixationAttempt < StandardError; end #:nodoc:
0
 
0
     DEFAULT_SESSION_OPTIONS = {
0
       :database_manager => CGI::Session::PStore,
0
       :prefix           => "ruby_sess.",
0
-      :session_path     => "/"
0
+      :session_path     => "/",
0
+      :cookie_only      => true
0
     } unless const_defined?(:DEFAULT_SESSION_OPTIONS)
0
 
0
     def initialize(cgi, session_options = {})
0
       @cgi = cgi
0
       @session_options = session_options
0
       @env = @cgi.send(:env_table)
0
+      @cookie_only = session_options.delete :cookie_only
0
       super()
0
     end
0
 
0
@@ -109,6 +114,9 @@
0
           @session = Hash.new
0
         else
0
           stale_session_check! do
0
+            if @cookie_only && request_parameters[session_options_with_string_keys['session_key']]
0
+              raise SessionFixationAttempt
0
+            end
0
             case value = session_options_with_string_keys['new_session']
0
               when true
0
                 @session = new_session

Comments

No one has commented yet.