On Oct 14, 2013, at 11:28 AM, Steve Klabnik wrote: > (I believe) it already is: > http://guides.rubyonrails.org/security.html#session-fixation
The new article is about a different scenario - namely that the CookieStore doesn't include any kind of invalidation mechanism by default. Short version: 1: attacker steals a session cookie from user Victim (NOTE: user is already pwned at this point) 2: Victim logs out of the site 3: attacker uses the stolen cookie to continue acting as Victim TBH, it's a bug to be sure - but calling it "broken by default" when the repro starts with "Step 1: the user is utterly pwned" seems a bit hyperbolic. Drink your SSL + Secure cookies, kids! --Matt Jones -- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Core" group. To unsubscribe from this group and stop receiving emails from it, send an email to rubyonrails-core+unsubscr...@googlegroups.com. To post to this group, send email to rubyonrails-core@googlegroups.com. Visit this group at http://groups.google.com/group/rubyonrails-core. For more options, visit https://groups.google.com/groups/opt_out.