On Oct 17, 9:14 pm, Avik <[email protected]> wrote: > 1. Using CookieStore opens the door to "replay attacks", whose > importance is, we feel, underestimated. A dishonest user can replay an > old session to fool the server, of course; but more critically, it may > be possible for an attacker to steal a cookie from an honest user > after the latter is authenticated, and replay that session. The > obvious fix is to include nonce-checking for every session object to > ensure its freshness, but this may require storing nonces in the > database, which may go against the point of using CookieStore. Are > most users of Rails aware of this problem? How many actually use > ActiveRecordStore instead of CookieStore? If the latter is by far the > most common mode, then we believe that default should be > ActiveRecordStore, as it is much less susceptible to this problem. > (Session ids are usually not stateful in a bad way.)
All true, but I've always thought that at the point where people can steal your cookies then you're a bit shafted anyway. The replayability does make it a bit worse than just stealing a session cookie, but then a lot of sites have a 'remember me' cookie, why bother stealing the session when you could steal that ? > > 2. The CSRF protection, at least in Rails 2.2.2, seems too weak. Rails > comes close to implementing a fix, by embedding and checking hidden > tokens (for POST requests). But it is well-known that for such a fix > to work, the tokens should be session-specific. Unfortunately, we > found that the implementation in 2.2.2 can return the same token even > if, e.g., session[:user] is different. This is bad, since an attacker > may not be an outsider: it can reasonably have an account with the > server, and if it gets back a token which it can then embed in forms > used by other, honest users, then it can execute CSRF attacks! That's seems odd - glancing at the code it would seem that in 2.2.2 the secret is a digest of the session_id and a secret (for non cookie stores) and in the case of a cookie store a digest of a random identifier and a secret. How were you able to get it to return the same token for 2 different sessions ? Fred --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---
