Small middleware, that helps a little bit to protect user session from session hijacking (by checking browsers user_agent)
JavaScript Ruby
Switch branches/tags
Nothing to show
Pull request Compare This branch is 7 commits behind galdomedia:master.
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Failed to load latest commit information.



WARNING: this only makes a little bit harder to hijack user session, our solution basically have nothing to do with session security!!

Logout user if HTTP_USER_AGENT and IP differs from the one saved in session. This make it harder to successfully use session hijacking tools like firesheep.

Also, usage of browser_fingerprint.js allows usage of pseudo-unique fingerprint of users browser details. Both combined makes much harder (at least for script kiddies using firesheep for evil purposes) to hijack session (yeah, right).


Devise or other authentication system based on Warden


rails plugin install git://

You MAY also want to install browser_fingerprint script. To do this simply run:

rails generate session_protector:install

And reference to browser_fingerprint.js script in HEAD section or your layout. Ie:

<%= javascript_include_tag 'browser_fingerprint', :cache => true %>

browser_fingerprint.js is not yet JavaScript framework agnostic. It REQUIRES jQuery now.


You may want to disable IP checking. To do this simply paste following code in config/initializers/session_protector.rb

SessionProtector.setup do |config|
  # don't check IP address
  config.check_ip = false


  • middleware checks, if USER_AGENT didn't change. This should scare of most part of script kiddies using firesheep
  • javascript part checks for browsers USER_AGENT, installed plugins, screen resolution, timezone, browser capabilities and makes md5 hash from string containing all those informations. hash is stored in cookie, then, if not empty, it's assigned to session. If on next page load (script have to be executed at least once, somehow) hash strings on server side (session) and client are different, session is destroyed.

It's not the best nor ultimate solution, but as long as you can not send cookies via SSL, nothing can assure you, that session will not be hijacked - bas guys can still gather users cookies, sniff for user_agent, use browser spoofing tools, etc.


  • Piotr Boniecki (piotr [at] galdomedia [dot] pl)
  • Maciej Litwiniuk (maciej [at] galdomedia [dot] pl )


Copyright (c) 2010 Piotr Boniecki (piotr [at] galdomedia [dot] pl), released under the MIT license