Sessions are created automatically. #774

rsimoes opened this Issue Apr 11, 2012 · 1 comment


None yet

3 participants


Simple problem, but with bad consequences. It amounts to a security vulnerability: an attacker can endlessly cause sessions to be created simply by ignoring the session cookie each request. The consequences of such an attack will depend on whether the session engine is file-, database-, process-memory-, or cache-daemon-based. An application should therefore be able to control whether and when new sessions are created.

@ambs ambs was assigned Apr 12, 2012

What could be an acceptable solution? I can think of:

  1. Create a new option 'auto_create_sessions: 0|1', and if it is set to false, don't have the session created automatically but force the user to call 'create_session' manually.

  2. Create a 'session_creation' hook that can short-circuit the creation of the session if anything bad is detected.


Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment