Isn't this a common problem with every other framework that uses cookies for sessions? I find it a bit hard on Rails given that point.
I remember doing some successful tests on Facebook (PHP) with FireSheep, and I believe (please tell me if I'm wrong) that it gets fixed by using SSL to prevent the session data to be retrieved in the first place. On Mon, Oct 14, 2013 at 5:20 PM, Matt Jones <[email protected]> wrote: > > On Oct 14, 2013, at 11:28 AM, Steve Klabnik wrote: > > (I believe) it already is: > http://guides.rubyonrails.org/security.html#session-fixation > > > The new article is about a different scenario - namely that the > CookieStore doesn't include any kind of invalidation mechanism by default. > > Short version: > > 1: attacker steals a session cookie from user Victim (NOTE: user is > already pwned at this point) > > 2: Victim logs out of the site > > 3: attacker uses the stolen cookie to continue acting as Victim > > TBH, it's a bug to be sure - but calling it "broken by default" when the > repro starts with "Step 1: the user is utterly pwned" seems a bit > hyperbolic. > > Drink your SSL + Secure cookies, kids! > > --Matt Jones > > -- > You received this message because you are subscribed to the Google Groups > "Ruby on Rails: Core" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To post to this group, send email to [email protected]. > Visit this group at http://groups.google.com/group/rubyonrails-core. > For more options, visit https://groups.google.com/groups/opt_out. > -- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Core" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at http://groups.google.com/group/rubyonrails-core. For more options, visit https://groups.google.com/groups/opt_out.
