Permalink
Browse files

Fixed session ID fixation for ActiveRecord::SessionStore

I have found that Rails will take an invalid session ID specified by the
client and materialize a session based on that session ID. This means
that it is possible, among other things, for a client to use an
arbitrarily weak session ID or for a client to resurrect a previous used
session ID. In other words, we cannot guarantee that all session IDs are
generated by the server and that they are (statistically) unique through
time.

The fix is to always generate a new session ID in #get_session if an
existing session cannot be found under the incoming session ID.
  • Loading branch information...
1 parent 9370855 commit fa3c0e48c9ac3f8995534b7c7ca44035c22c4fff @jhtwong jhtwong committed Jul 8, 2011
Showing with 6 additions and 2 deletions.
  1. +6 −2 activerecord/lib/active_record/session_store.rb
@@ -297,8 +297,12 @@ def destroy
private
def get_session(env, sid)
Base.silence do
- sid ||= generate_sid
- session = find_session(sid)
+ unless sid and session = @@session_class.find_by_session_id(sid)
+ # If the sid was nil or if there is no pre-existing session under the sid,
+ # force the generation of a new sid and associate a new session associated with the new sid
+ sid = generate_sid
+ session = @@session_class.new(:session_id => sid, :data => {})
+ end
env[SESSION_RECORD_KEY] = session
[sid, session.data]
end

0 comments on commit fa3c0e4

Please sign in to comment.