Skip to content


Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Browse files

Fixed session ID fixation for ActiveRecord::SessionStore

I have found that Rails will take an invalid session ID specified by the
client and materialize a session based on that session ID. This means
that it is possible, among other things, for a client to use an
arbitrarily weak session ID or for a client to resurrect a previous used
session ID. In other words, we cannot guarantee that all session IDs are
generated by the server and that they are (statistically) unique through

The fix is to always generate a new session ID in #get_session if an
existing session cannot be found under the incoming session ID.
  • Loading branch information...
commit fa3c0e48c9ac3f8995534b7c7ca44035c22c4fff 1 parent 9370855
@jhtwong jhtwong authored
Showing with 6 additions and 2 deletions.
  1. +6 −2 activerecord/lib/active_record/session_store.rb
8 activerecord/lib/active_record/session_store.rb
@@ -297,8 +297,12 @@ def destroy
def get_session(env, sid)
Base.silence do
- sid ||= generate_sid
- session = find_session(sid)
+ unless sid and session = @@session_class.find_by_session_id(sid)
+ # If the sid was nil or if there is no pre-existing session under the sid,
+ # force the generation of a new sid and associate a new session associated with the new sid
+ sid = generate_sid
+ session = => sid, :data => {})
+ end
env[SESSION_RECORD_KEY] = session
Please sign in to comment.
Something went wrong with that request. Please try again.