Fix for session ID fixation issue in ActiveRecord::SessionStore #2016

Closed
wants to merge 3 commits into
from

Conversation

Projects
None yet
3 participants
Contributor

jhtwong commented Jul 8, 2011

I have found that Rails will take an invalid session ID specified by the client and materialize a session based on that session ID. This means that it is possible, among other things, for a client to use an arbitrarily weak session ID or for a client to resurrect a previous used session ID. In other words, we cannot guarantee that all session IDs are generated by the server and that they are (statistically) unique through time.

The fix is to always generate a new session ID in #get_session if an existing session cannot be found under the incoming session ID.

@NZKoz here's the pull request as per our earlier emails

Fixed session ID fixation for ActiveRecord::SessionStore
I have found that Rails will take an invalid session ID specified by the
client and materialize a session based on that session ID. This means
that it is possible, among other things, for a client to use an
arbitrarily weak session ID or for a client to resurrect a previous used
session ID. In other words, we cannot guarantee that all session IDs are
generated by the server and that they are (statistically) unique through
time.

The fix is to always generate a new session ID in #get_session if an
existing session cannot be found under the incoming session ID.
Contributor

josevalim commented Jul 8, 2011

Hey mate, thanks for the pull request. Could you also provide a test case?

Contributor

jhtwong commented Jul 8, 2011

I've got an integration test in my app that tests this. Let me see if I can put the test cases into actionpack/test/activerecord/active_record_store_test.rb.

Contributor

jhtwong commented Jul 8, 2011

Just got the active_record_store_test.rb to run using jdbcsqlite3 as is. Seems that the SqlBypass store has been broken for a little while. Should I add the fix to this pull request or open a new one?

jhtwong added some commits Jul 8, 2011

New integrations tests for #2016 - Fix for session ID fixation issue in
ActiveRecord::SessionStore

These new tests make sure that an invalid session ID is never
materialized into a new session, regardless of whether it comes in via a
cookie or a URL parameter (when :cookie_only => false).
Fix for SqlBypass session store
Two issues fixed:
1) connection_pool is not defined - needed by SessionStore#drop_table!
and create_table! since c94651f

2) initialization of connection to the default of AR::Base.connection
only occurred at the singleton level - the instance level method defined
by cattr_accessor did not have this logic
Contributor

jhtwong commented Jul 8, 2011

I decided to put the SqlBypass fix on the same branch, since the tests would break horribly otherwise.

Owner

spastorino commented Jul 10, 2011

Can you squash your commits? at least the ones that makes sense to be together.
Thanks.

Contributor

jhtwong commented Jul 11, 2011

I can squash fa3c0e4 (the original session fixation fix) and d0e2340 (the integration test) together. Probably makes sense for the SqlBypass fix f14bca2 to stay separate?

Owner

spastorino commented Jul 11, 2011

Yes

Owner

spastorino commented Jul 11, 2011

Can you also provide the same patch for master?

Contributor

jhtwong commented Jul 12, 2011

Alright, there are now 4 new pull requests replacing this one:

for 3-1-stable
#2039 - session id patch with test
#2040 - SqlBypass patch

for master
#2041 - session id patch with test
#2042 - SqlBypass patch

@spastorino spastorino closed this Jul 12, 2011

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment