Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Small middleware, that helps a little bit to protect user session from session hijacking (by checking browsers user_agent)
JavaScript Ruby
branch: master

This branch is 3 commits behind galdomedia:master

Fetching latest commit…

Cannot retrieve the latest commit at this time

Failed to load latest commit information.
lib
.gitignore
MIT-LICENSE
README.md
Rakefile
init.rb
install.rb
uninstall.rb

README.md

session_protector

DESCRIPTION

WARNING: this only makes a little bit harder to hijack user session, our solution basically have nothing to do with session security!!

Logout user if HTTP_USER_AGENT and IP differs from the one saved in session. This make it harder to successfully use session hijacking tools like firesheep.

Also, usage of browser_fingerprint.js allows usage of pseudo-unique fingerprint of users browser details. Both combined makes much harder (at least for script kiddies using firesheep for evil purposes) to hijack session (yeah, right).

REQUIREMENTS

Devise or other authentication system based on Warden

INSTALL

rails plugin install git://github.com/galdomedia/session_protector.git

You MAY also want to install browser_fingerprint script. To do this simply run:

rails generate session_protector:install

And reference to browser_fingerprint.js script in HEAD section or your layout. Ie:

<%= javascript_include_tag 'browser_fingerprint', :cache => true %>

browser_fingerprint.js is not yet JavaScript framework agnostic. It REQUIRES jQuery now.

CONFIGURATION

You may want to disable IP checking. To do this simply paste following code in config/initializers/session_protector.rb

SessionProtector.setup do |config|
  # don't check IP address
  config.check_ip = false
end

HOW IT WORKS

  • middleware checks, if USER_AGENT didn't change. This should scare of most part of script kiddies using firesheep
  • javascript part checks for browsers USER_AGENT, installed plugins, screen resolution, timezone, browser capabilities and makes md5 hash from string containing all those informations. hash is stored in cookie, then, if not empty, it's assigned to session. If on next page load (script have to be executed at least once, somehow) hash strings on server side (session) and client are different, session is destroyed.

It's not the best nor ultimate solution, but as long as you can not send cookies via SSL, nothing can assure you, that session will not be hijacked - bas guys can still gather users cookies, sniff for user_agent, use browser spoofing tools, etc.

AUTHORS

  • Piotr Boniecki (piotr [at] galdomedia [dot] pl)
  • Maciej Litwiniuk (maciej [at] galdomedia [dot] pl )

CREDITS

Copyright (c) 2010 Piotr Boniecki (piotr [at] galdomedia [dot] pl), released under the MIT license

Something went wrong with that request. Please try again.