#3134 MemCacheStore allows for arbitrary client generated session_ids? - Ruby on Rails

Type	To find
responsible:me	tickets assigned to you
tagged:"@high"	tickets tagged @high
milestone:next	tickets in the upcoming milestone
state:invalid	tickets with the state invalid
created:"last week"	tickets created last week
sort:number, importance, updated	tickets sorted by #, importance or updated
Combine keywords for powerful searching.
Use advanced searching »

This project is archived and is in readonly mode.

#3134 open

MemCacheStore allows for arbitrary client generated session_ids?

Reported by Aaron Gibralter | September 2nd, 2009 @ 08:28 AM

Maybe it's just late at night, and I'm going crazy... but it seems to me that MemCacheStore allows for the client to decide what session_id it wants to use. All the a user has to do is edit his session_id cookie to be whatever he wants it to be and Rails will use it. Is this even a problem to worry about?

Would it make sense to HMAC the session_id with some sort of server-side secret? session_options[:secret] isn't even being used for MemCacheStore.

I saw ticket #571... didn't seem to answer the question though.

Comments and changes to this ticket

You flagged this item as spam.
Kevin Menard July 13th, 2010 @ 01:53 PM
- Importance changed from “” to “”
I think it's definitely something to worry about. We had legitimate issues as a result of this behavior. But, since the core team stance (per #571) seems to be that it's not a problem, we just patched it locally. I guess if you think it's unlikely that a user could ever guess another's session ID or that two users modifying their session IDs would ever pick the same one, then it's probably not an issue. But, we saw otherwise.
You flagged this item as spam.
Aaron Gibralter July 13th, 2010 @ 05:23 PM
Would you mind posting your patch?
Santiago Pastorino February 2nd, 2011 @ 04:36 PM
- State changed from “new” to “open”
This issue has been automatically marked as stale because it has not been commented on for at least three months.

The resources of the Rails core team are limited, and so we are asking for your help. If you can still reproduce this error on the 3-0-stable branch or on master, please reply with all of the information you have about it and add "[state:open]" to your comment. This will reopen the ticket for review. Likewise, if you feel that this is a very important feature for Rails to include, please reply with your explanation so we can consider it.

Thank you for all your contributions, and we hope you will understand this step to focus our efforts where they are most helpful.
Santiago Pastorino February 2nd, 2011 @ 04:36 PM
- State changed from “open” to “stale”
You flagged this item as spam.
Aaron Gibralter February 14th, 2011 @ 02:53 PM
Does anyone else think it makes sense for Rails to HMAC the session_ids it creates with a timestamp and a secret? This way people would not be able to brute force their way into hijacking sessions...
You flagged this item as spam.
Aaron Gibralter February 14th, 2011 @ 02:54 PM
- State changed from “stale” to “open”
oops forgot: [state:open]

Create your profile

Help contribute to this project by taking a few moments to create your personal profile. Create your profile »

<h2 style="font-size: 14px">Tickets have moved to Github</h2>

The new ticket tracker is available at <a href="https://github.com/rails/rails/issues">https://github.com/rails/rails/issues</a>

Shared Ticket Bins (Sort)

↓↑ drag 455 Open Bugs
↓↑ drag 0 Recent Open Tickets
↓↑ drag 87 Open Patches
↓↑ drag 0 Open Doc Patches
↓↑ drag 542 Stale Tickets
↓↑ drag 3 Verified Patches
↓↑ drag 87 Stale Patches
↓↑ drag 0 Yesterday's Tickets
↓↑ drag 0 Two Days Ago
↓↑ drag 0 This Week
↓↑ drag 0 Last Week
↓↑ drag 7 Bugmash
↓↑ drag 0 Bugmash review queue
↓↑ drag 5 Rails 3 High Priority Tickets

People watching this ticket

Referenced by

3238 mem_cache_store_test has flawed test Alright, I've created a patch for this and ticket #3134.
5588 Integrate support for Dalli Could a new Dalli-based session store also address the se...

Rails Ruby on Rails