WARNING: this only makes a little bit harder to hijack user session, our solution basically have nothing to do with session security!!
Clear session if HTTP_USER_AGENT and IP differs from the one saved in session. This make it harder to successfully use session hijacking tools like firesheep.
Also, usage of
browser_fingerprint.js allows usage of pseudo-unique fingerprint of users browser details. Both combined makes much harder (at least for script kiddies using firesheep for evil purposes) to hijack session (yeah, right).
to Gemfile and run
You MAY also want to install browser_fingerprint script. To do this simply:
rails generate session_protector:install
And reference to browser_fingerprint.js script in HEAD section or your layout. Ie:
You may want to disable IP checking. To do this simply paste following code in
SessionProtector.setup do |config| # don't check IP address config.check_ip = false end
HOW IT WORKS
- middleware checks, if USER_AGENT didn't change. This should scare of most part of script kiddies using firesheep
It's not the best nor ultimate solution, but as long as you can not send cookies via SSL, nothing can assure you, that session will not be hijacked - bas guys can still gather users cookies, sniff for user_agent, use browser spoofing tools, etc.
- Piotr Boniecki (piotr [at] galdomedia [dot] pl)
- Maciej Litwiniuk (maciej [at] galdomedia [dot] pl )
- Electronic Frontier Foundation - Panopticlick - Browser uniqueness (fingerprint) detection
- Eric Gerds - PluginDetect
Copyright (c) 2010 Piotr Boniecki (piotr [at] galdomedia [dot] pl), released under the MIT license