search

rails / activerecord-session_store

Active Record's Session Store extracted from Rails
MIT License
541 stars 189 forks source link

Rack 2.1.1+ breaks session_id #154

Open shleeable opened 4 years ago

shleeable commented 4 years ago

The issue on master mentioned by @kaoru probably needs to be fixed in activerecord-session-store. It should now store and lookup the private_id of the session_id object in the database. The previous way of looking up the session directly using the session_id is prone to a timing attack, which is the reason rack's API was changed.

Originally posted by @jeremyevans in https://github.com/rack/rack/issues/1522#issuecomment-578800357

kaoru commented 4 years ago

Duplicating my comment from https://github.com/rack/rack/issues/1522 here, with some small updates to include ActiveRecord Session Store versions:

Rack 2.1.1, ActiveRecord Session Store 1.1.3

NoMethodError
undefined method `transform_keys' for #<ActionDispatch::Request::Session:0x00007fd3d0f3d170>

rack (2.1.1) lib/rack/session/abstract/id.rb:212:in `stringify_keys'
rack (2.1.1) lib/rack/session/abstract/id.rb:148:in `update'
rack (2.1.1) lib/rack/session/abstract/id.rb:317:in `prepare_session'
rack (2.1.1) lib/rack/session/abstract/id.rb:276:in `context'
rack (2.1.1) lib/rack/session/abstract/id.rb:271:in `call'
rack (2.1.1) lib/rack/urlmap.rb:77:in `block in call'
rack (2.1.1) lib/rack/urlmap.rb:61:in `each'
rack (2.1.1) lib/rack/urlmap.rb:61:in `call'
rack (2.1.1) lib/rack/builder.rb:176:in `call'
sidekiq (6.0.3) lib/sidekiq/web.rb:104:in `call'
sidekiq (6.0.3) lib/sidekiq/web.rb:109:in `call'
actionpack (6.0.2.1) lib/action_dispatch/routing/mapper.rb:19:in `block in <class:Constraints>'
actionpack (6.0.2.1) lib/action_dispatch/routing/mapper.rb:48:in `serve'
actionpack (6.0.2.1) lib/action_dispatch/journey/router.rb:49:in `block in serve'
actionpack (6.0.2.1) lib/action_dispatch/journey/router.rb:32:in `each'
actionpack (6.0.2.1) lib/action_dispatch/journey/router.rb:32:in `serve'
actionpack (6.0.2.1) lib/action_dispatch/routing/route_set.rb:837:in `call'
meta_request (0.7.2) lib/meta_request/middlewares/app_request_handler.rb:13:in `call'
meta_request (0.7.2) lib/meta_request/middlewares/meta_request_handler.rb:13:in `call'
rack-attack (6.2.1) lib/rack/attack.rb:156:in `call'
remotipart (1.4.3) lib/remotipart/middleware.rb:32:in `call'
warden (1.2.8) lib/warden/manager.rb:36:in `block in call'
warden (1.2.8) lib/warden/manager.rb:34:in `catch'
warden (1.2.8) lib/warden/manager.rb:34:in `call'
rack (2.1.1) lib/rack/tempfile_reaper.rb:17:in `call'
rack (2.1.1) lib/rack/etag.rb:27:in `call'
rack (2.1.1) lib/rack/conditional_get.rb:27:in `call'
rack (2.1.1) lib/rack/head.rb:14:in `call'
actionpack (6.0.2.1) lib/action_dispatch/http/content_security_policy.rb:18:in `call'
rack (2.1.1) lib/rack/session/abstract/id.rb:277:in `context'
rack (2.1.1) lib/rack/session/abstract/id.rb:271:in `call'
actionpack (6.0.2.1) lib/action_dispatch/middleware/cookies.rb:648:in `call'
activerecord (6.0.2.1) lib/active_record/migration.rb:567:in `call'
actionpack (6.0.2.1) lib/action_dispatch/middleware/callbacks.rb:27:in `block in call'
activesupport (6.0.2.1) lib/active_support/callbacks.rb:101:in `run_callbacks'
actionpack (6.0.2.1) lib/action_dispatch/middleware/callbacks.rb:26:in `call'
actionpack (6.0.2.1) lib/action_dispatch/middleware/executor.rb:14:in `call'
actionpack (6.0.2.1) lib/action_dispatch/middleware/actionable_exceptions.rb:17:in `call'
actionpack (6.0.2.1) lib/action_dispatch/middleware/debug_exceptions.rb:32:in `call'
rack-contrib (2.1.0) lib/rack/contrib/response_headers.rb:17:in `call'
meta_request (0.7.2) lib/meta_request/middlewares/headers.rb:16:in `call'
actionpack (6.0.2.1) lib/action_dispatch/middleware/show_exceptions.rb:33:in `call'
railties (6.0.2.1) lib/rails/rack/logger.rb:38:in `call_app'
railties (6.0.2.1) lib/rails/rack/logger.rb:26:in `block in call'
activesupport (6.0.2.1) lib/active_support/tagged_logging.rb:80:in `block in tagged'
activesupport (6.0.2.1) lib/active_support/tagged_logging.rb:28:in `tagged'
activesupport (6.0.2.1) lib/active_support/tagged_logging.rb:80:in `tagged'
railties (6.0.2.1) lib/rails/rack/logger.rb:26:in `call'
actionpack (6.0.2.1) lib/action_dispatch/middleware/remote_ip.rb:81:in `call'
request_store (1.4.1) lib/request_store/middleware.rb:19:in `call'
actionpack (6.0.2.1) lib/action_dispatch/middleware/request_id.rb:27:in `call'
rack (2.1.1) lib/rack/method_override.rb:24:in `call'
rack (2.1.1) lib/rack/runtime.rb:24:in `call'
rack-attack (6.2.1) lib/rack/attack.rb:170:in `call'
activesupport (6.0.2.1) lib/active_support/cache/strategy/local_cache_middleware.rb:29:in `call'
actionpack (6.0.2.1) lib/action_dispatch/middleware/executor.rb:14:in `call'
actionpack (6.0.2.1) lib/action_dispatch/middleware/static.rb:126:in `call'
rack (2.1.1) lib/rack/sendfile.rb:113:in `call'
actionpack (6.0.2.1) lib/action_dispatch/middleware/host_authorization.rb:83:in `call'
webpacker (4.2.2) lib/webpacker/dev_server_proxy.rb:23:in `perform_request'
rack-proxy (0.6.5) lib/rack/proxy.rb:57:in `call'
railties (6.0.2.1) lib/rails/engine.rb:526:in `call'
puma (4.3.1) lib/puma/configuration.rb:228:in `call'
puma (4.3.1) lib/puma/server.rb:681:in `handle_request'
puma (4.3.1) lib/puma/server.rb:472:in `process_client'
puma (4.3.1) lib/puma/server.rb:328:in `block in run'
puma (4.3.1) lib/puma/thread_pool.rb:134:in `block in spawn_thread'

Rack master (https://github.com/rack/rack/commit/01556901e519159982c28a8511b18ffb22f0454d), ActiveRecord Session Store 1.1.3

TypeError
can't cast Rack::Session::SessionId

activerecord (6.0.2.1) lib/active_record/connection_adapters/abstract/quoting.rb:34:in `rescue in type_cast'
activerecord (6.0.2.1) lib/active_record/connection_adapters/abstract/quoting.rb:24:in `type_cast'
activerecord (6.0.2.1) lib/active_record/connection_adapters/abstract/quoting.rb:203:in `block in type_casted_binds'
activerecord (6.0.2.1) lib/active_record/connection_adapters/abstract/quoting.rb:203:in `map'
activerecord (6.0.2.1) lib/active_record/connection_adapters/abstract/quoting.rb:203:in `type_casted_binds'
activerecord (6.0.2.1) lib/active_record/connection_adapters/postgresql_adapter.rb:682:in `exec_cache'
activerecord (6.0.2.1) lib/active_record/connection_adapters/postgresql_adapter.rb:655:in `execute_and_clear'
activerecord (6.0.2.1) lib/active_record/connection_adapters/postgresql/database_statements.rb:98:in `exec_query'
activerecord (6.0.2.1) lib/active_record/connection_adapters/abstract/database_statements.rb:491:in `select_prepared'
activerecord (6.0.2.1) lib/active_record/connection_adapters/abstract/database_statements.rb:68:in `select_all'
activerecord (6.0.2.1) lib/active_record/connection_adapters/abstract/query_cache.rb:105:in `block in select_all'
activerecord (6.0.2.1) lib/active_record/connection_adapters/abstract/query_cache.rb:123:in `block in cache_sql'
/Users/alex/.rbenv/versions/2.6.5/lib/ruby/2.6.0/monitor.rb:235:in `mon_synchronize'
activerecord (6.0.2.1) lib/active_record/connection_adapters/abstract/query_cache.rb:114:in `cache_sql'
activerecord (6.0.2.1) lib/active_record/connection_adapters/abstract/query_cache.rb:105:in `select_all'
activerecord (6.0.2.1) lib/active_record/querying.rb:46:in `find_by_sql'
activerecord (6.0.2.1) lib/active_record/relation.rb:810:in `block in exec_queries'
activerecord (6.0.2.1) lib/active_record/relation.rb:828:in `skip_query_cache_if_necessary'
activerecord (6.0.2.1) lib/active_record/relation.rb:797:in `exec_queries'
activerecord (6.0.2.1) lib/active_record/relation.rb:615:in `load'
activerecord (6.0.2.1) lib/active_record/relation.rb:250:in `records'
activerecord (6.0.2.1) lib/active_record/relation.rb:245:in `to_ary'
activerecord (6.0.2.1) lib/active_record/relation/finder_methods.rb:528:in `find_nth_with_limit'
activerecord (6.0.2.1) lib/active_record/relation/finder_methods.rb:513:in `find_nth'
activerecord (6.0.2.1) lib/active_record/relation/finder_methods.rb:120:in `first'
activerecord-session_store (1.1.3) lib/active_record/session_store/session.rb:58:in `find_by_session_id'
activerecord-session_store (1.1.3) lib/action_dispatch/session/active_record_store.rb:124:in `block in get_session_model'
activerecord-session_store (1.1.3) lib/active_record/session_store/extension/logger_silencer.rb:47:in `silence_logger'
activerecord-session_store (1.1.3) lib/action_dispatch/session/active_record_store.rb:123:in `get_session_model'
activerecord-session_store (1.1.3) lib/action_dispatch/session/active_record_store.rb:83:in `block in write_session'
activerecord-session_store (1.1.3) lib/active_record/session_store/extension/logger_silencer.rb:47:in `silence_logger'
activerecord-session_store (1.1.3) lib/action_dispatch/session/active_record_store.rb:82:in `write_session'
rack (01556901e519) lib/rack/session/abstract/id.rb:396:in `commit_session'
rack (01556901e519) lib/rack/session/abstract/id.rb:276:in `context'
rack (01556901e519) lib/rack/session/abstract/id.rb:268:in `call'
actionpack (6.0.2.1) lib/action_dispatch/middleware/cookies.rb:648:in `call'
activerecord (6.0.2.1) lib/active_record/migration.rb:567:in `call'
actionpack (6.0.2.1) lib/action_dispatch/middleware/callbacks.rb:27:in `block in call'
activesupport (6.0.2.1) lib/active_support/callbacks.rb:101:in `run_callbacks'
actionpack (6.0.2.1) lib/action_dispatch/middleware/callbacks.rb:26:in `call'
actionpack (6.0.2.1) lib/action_dispatch/middleware/executor.rb:14:in `call'
actionpack (6.0.2.1) lib/action_dispatch/middleware/actionable_exceptions.rb:17:in `call'
actionpack (6.0.2.1) lib/action_dispatch/middleware/debug_exceptions.rb:32:in `call'
rack-contrib (2.1.0) lib/rack/contrib/response_headers.rb:17:in `call'
meta_request (0.7.2) lib/meta_request/middlewares/headers.rb:16:in `call'
actionpack (6.0.2.1) lib/action_dispatch/middleware/show_exceptions.rb:33:in `call'
railties (6.0.2.1) lib/rails/rack/logger.rb:38:in `call_app'
railties (6.0.2.1) lib/rails/rack/logger.rb:26:in `block in call'
activesupport (6.0.2.1) lib/active_support/tagged_logging.rb:80:in `block in tagged'
activesupport (6.0.2.1) lib/active_support/tagged_logging.rb:28:in `tagged'
activesupport (6.0.2.1) lib/active_support/tagged_logging.rb:80:in `tagged'
railties (6.0.2.1) lib/rails/rack/logger.rb:26:in `call'
actionpack (6.0.2.1) lib/action_dispatch/middleware/remote_ip.rb:81:in `call'
request_store (1.4.1) lib/request_store/middleware.rb:19:in `call'
actionpack (6.0.2.1) lib/action_dispatch/middleware/request_id.rb:27:in `call'
rack (01556901e519) lib/rack/method_override.rb:24:in `call'
rack (01556901e519) lib/rack/runtime.rb:24:in `call'
rack-attack (6.2.1) lib/rack/attack.rb:170:in `call'
activesupport (6.0.2.1) lib/active_support/cache/strategy/local_cache_middleware.rb:29:in `call'
actionpack (6.0.2.1) lib/action_dispatch/middleware/executor.rb:14:in `call'
actionpack (6.0.2.1) lib/action_dispatch/middleware/static.rb:126:in `call'
rack (01556901e519) lib/rack/sendfile.rb:113:in `call'
actionpack (6.0.2.1) lib/action_dispatch/middleware/host_authorization.rb:83:in `call'
webpacker (4.2.2) lib/webpacker/dev_server_proxy.rb:23:in `perform_request'
rack-proxy (0.6.5) lib/rack/proxy.rb:57:in `call'
railties (6.0.2.1) lib/rails/engine.rb:526:in `call'
puma (4.3.1) lib/puma/configuration.rb:228:in `call'
puma (4.3.1) lib/puma/server.rb:681:in `handle_request'
puma (4.3.1) lib/puma/server.rb:472:in `process_client'
puma (4.3.1) lib/puma/server.rb:328:in `block in run'
puma (4.3.1) lib/puma/thread_pool.rb:134:in `block in spawn_thread'

Let me know if I can provide any additional information 😄

jskirst commented 4 years ago

Running into this issue as well - seems like it would be fairly widespread at this point but odd no on else has chimed in. This is an issue for me in a standard Rails application but not in a Rails API-only application.

Update: I was able to resolve my issue by modifying my config/initializers/session_store.rb code to the following:

Rails.application.config.session_store :active_record_store, key: '.....

It had originally been the following, which had worked for my Rails API-only application.

Rails.application.config.middleware.use ActionDispatch::Cookies
Rails.application.config.middleware.insert_after(ActionDispatch::Cookies, ActionDispatch::Session::ActiveRecordStore, key: '...
wimpog commented 3 years ago

@jskirst I have the same thing as you and it doesn't fix my issue.

wimpog commented 3 years ago

Any update on this issue?

synth commented 3 years ago

We are hitting this as well after upgrading to 2.0 of this gem. In our case, we have middleware for fast autocomplete/typeahead functionality.

We look up the session with: 

session = ActiveRecord::SessionStore::Session.find_by_session_id( request.cookies[session_key] )

request.cookies[session_key] is different than what is in the session_id in the database and so the above no longer works.

However, we were able to solve it with: 

sid = Rack::Session::SessionId.new( request.cookies[session_key] )
sid.public_id # maps to what is stored in the cookie, obvs
sid.private_id # maps to what is stored in the database
session = ActiveRecord::SessionStore::Session.find_by_session_id( sid.private_id )

I don't know if this is the best, most idiomatic way to solve this but it works for us for now.