teamon
commented
11 years ago Does warden/devise handle that?
Closed sheerun closed 11 years ago
teamon
commented
11 years ago Does warden/devise handle that?
sheerun
commented
11 years ago No idea
jandudulski
commented
11 years ago Does warden/devise handle that?
Since yesterday, but yes it is
sheerun
commented
11 years ago Ok, just use the newest one (devise implemented it 3 days ago).
jandudulski
commented
11 years ago Ah, devise fixed another security issue (which just looks similar). It was secure against session fixation already.
Note Devise is not vulnerable to session fixation attacks (i.e. the user cannot steal another user session by fixating the session id).
From Rails Guides
This attack focuses on fixing a user's session id known to the attacker, and forcing the user's browser into using this id. It is therefore not necessary for the attacker to steal the session id afterwards. Here is how this attack works:
The attacker creates a valid session id: He loads the login page of the web application where he wants to fix the session, and takes the session id in the cookie from the response (see number 1 and 2 in the image). He possibly maintains the session. Expiring sessions, for example every 20 minutes, greatly reduces the time-frame for attack. Therefore he accesses the web application from time to time in order to keep the session alive. Now the attacker will force the user's browser into using this session id (see number 3 in the image). As you may not change a cookie of another domain (because of the same origin policy), the attacker has to run a JavaScript from the domain of the target web application. Injecting the JavaScript code into the application by XSS accomplishes this attack. Here is an example: . Read more about XSS and injection later on. The attacker lures the victim to the infected page with the JavaScript code. By viewing the page, the victim's browser will change the session id to the trap session id. As the new trap session is unused, the web application will require the user to authenticate. From now on, the victim and the attacker will co-use the web application with the same session: The session became valid and the victim didn't notice the attack.
Session Fixation – Countermeasures
The most effective countermeasure is to issue a new session identifier and declare the old one invalid after a successful login. That way, an attacker cannot use the fixed session identifier. This is a good countermeasure against session hijacking, as well. Here is how to create a new session in Rails:
If you use the popular RestfulAuthentication plugin for user management, add reset_session to the SessionsController#create action. Note that this removes any value from the session, you have to transfer them to the new session.
Another countermeasure is to save user-specific properties in the session, verify them every time a request comes in, and deny access, if the information does not match. Such properties could be the remote IP address or the user agent (the web browser name), though the latter is less user-specific. When saving the IP address, you have to bear in mind that there are Internet service providers or large organizations that put their users behind proxies. These might change over the course of a session, so these users will not be able to use your application, or only in a limited way.