Rails: Is a session capture device vulnerable?

Question

Rails: Is a session capture device vulnerable?

Is devise vulnerable to session hijacking over a regular http: // connection? I find it hard to understand this from the documentation.

+6

ruby-on-rails devise

Kevin k Oct 13 '12 at 15:34

source share

2 answers

As mentioned in this letter in the Devise discussion group , the security setting for the application is in the domain of the main application (in this case, Rails, I suppose).

Check out the RailsCast episode, Session Capture Dangers , to deal with session capture at the Rails Application level.

The Rails Security Guide section on session hijacking is another readable resource.

Devise only enforces SSL cookies by setting :secure => true in the config/initializers/devise.rb the Rails application.

+5

Prakash murthy Oct 13 '12 at 20:07

source share

Steven xu · Accepted Answer · 2012-10-13T20:20:34+0000

Yes. The default rails for session management are susceptible to theft.

This is because it conveys to the client all the information that the client requires of himself in order to identify himself in HTTP cookies. For the most part, anyone who can intercept an HTTP connection can take on client authentication from a Rails perspective.

The simplest countermeasure is to only serve your site via HTTPS, and Rails is secure cookies that tell the browser to only send this cookie via HTTPS. The safety guide contains more helpful tips.

Rails: Is a session capture device vulnerable?

More articles: