Fix session persistence sql vulnerabilities

[tiegz]

PROBLEM

• Rails session cookies are marshalled ruby Hashes.
• Authlogic stores a record's id and persistence_token in the rails session cookie.
• Authlogic uses Rails' find_by_* methods when looking up id and persistence_token.
• The find_by_* methods accept option hashes, such as :select => "...".

This leaves persist_by_session open to sql attacks (such as logging in as any user), if a malicious user can write their own rails session cookie (if they have the rails secret_token).

Although authlogic verifies a user's identity with persistence_token stored in the database, this can currently be surpassed using this vulnerability, rendering persistence_token useless.

SOLUTION

Use to_s on the session credentials when looking up a user.