Geek Answers Handbook

Rails 3 ActiveRecordStore session_id tampering

I am jointly developing a simple web application in Rails 3.0.9 , and I realized that it is possible to fake session_id with a malicious request. Keep in mind that this is my first RoR application, so I can be completely wrong in my concepts.

The current functionality of the application requires sessions, so I switched to the ActiveRecordStore session store, installed it, and started testing in primitive workflows. I noticed that the Rails environment creates a cookie with the name _session_id and the value of some random hash-like row (in the DB SESSION table, this row corresponds to the session_id column).

If this cookie value changes, for example, with Firebug, the current session identifier is changed to one containing cookie data (checked using request.session_options[:id] ), and this change applies to the database table, creating a new session record with the above options.

While this does not affect session variables, the session identifier deviated from the usual regular hash view for the user who tampered with it.

The question is: how can this behavior be detected or prevented?

+4
source share
1 answer

To answer your question, it is important to understand how the session identifier is generated. (from docs )

Session ID consists of a hash value of a random string. A random string is the current time, a random number from 0 to 1, a Ruby interpreter process ID number (also basically a random number), and a constant string. It is currently not possible to use Rails command line session identifiers. Today, MD5 is uncompromising, but collisions have occurred, so it is theoretically possible to create another input text with the same hash value. But to date, this has not affected security.

Thus, the session identifier is designed to be cryptographically “hard to guess”. An attacker can change session_id, but the idea is that they could never guess the actual session.

How can this be prevented?

Based on the above logic, if you omit the session expiration time, there will be significantly less "live" session_id. Thus, making it even more difficult for an attacker to randomly select a useful identifier.

How can this behavior be detected?

The easiest way is to register all requests with invalid (not expired) session identifiers. If you see a significant influx of such requests, someone is probably trying to get a session that is not their own.

+5
source

More articles:


All Articles