Rails Ruby on Rails

Comments and changes to this ticket

• You flagged this item as spam.
  

  Aaron Gibralter September 20th, 2009 @ 08:51 PM

  • Tag changed from “action_controller, bug, memcachestore, session-fixation, sessions” to “action_controller, bug, memcachestore, patch, session-fixation, sessions”

  Alright, I've created a patch for this and ticket #3134.

  • mem_cache_store_fix.diff 2.4 KB
• 

  CancelProfileIsBroken September 25th, 2009 @ 11:57 AM

  • Tag changed from “action_controller, bug, memcachestore, patch, session-fixation, sessions” to “action_controller, bug, bugmash, memcachestore, patch, session-fixation, sessions”

• You flagged this item as spam.
  

  Blue Box Chris September 27th, 2009 @ 12:13 AM

  Unable to run this on a fresh check out.

  error: actionpack/lib/action_controller/session/mem_cache_store.rb: does not exist in index
  error: actionpack/test/controller/session/mem_cache_store_test.rb: does not exist in index
  Patch failed at 0001.
  When you have resolved this problem run "git-am --resolved".
  If you would prefer to skip this patch, instead run

• You flagged this item as spam.
  

  Elad Meidar September 27th, 2009 @ 12:54 AM

  @Aaron: Correct me if i'm wrong, but if assert_equal nil, cookies['_session_id'] is passing on both cases, it means that the session_id is not affected by sending a param named _session_id and remains as nil... not sure i see the problem or exactly what is so disturbing around here, care to elaborate some more?

  -1 on the patch though, applies on 2-3-stable only and not on master, iv'e added a patch for master too.

  • LH3238-mem_cache_store_prevents_arbitrary_key_selection-master.diff 2.3 KB

• You flagged this item as spam.
  

  Blue Box Stephen September 27th, 2009 @ 02:50 AM

  +1 on Elad's patch. applies and passes here.

• You flagged this item as spam.
  

  John Pignata September 27th, 2009 @ 03:19 AM

  +1 verified patch applies and tests pass

• You flagged this item as spam.
  

  Aaron Gibralter September 28th, 2009 @ 04:42 AM

  Yeah sorry, forgot to say that the patch was for 2-3-stable. The master branch has a new actionpack directory structure... Is there a way to submit a patch for multiple branches? Or should patches always be for master?

  @Elad: Ah, so it's just showing that cookie_only is being enforced... kk I get it.

• You flagged this item as spam.
  

  Aaron Gibralter October 1st, 2009 @ 07:23 PM

  @Elad: Actually, why does assert_equal nil, cookies['session_id'] pass? The test seems like it's trying to show that the session store ignores the URL param :session_id => session_id; however, shouldn't get '/set_session_value' set a cookie regardless of the params you pass in??

  I do think the test is broken because it seems that reset! is causing the get '/set_session_value' to not set a cookie... See these examples:

  # THIS PASSES:
  def test_prevents_session_fixation
    with_test_route_set do
      reset!
      get '/set_session_value'
      assert_response :success
      assert_equal nil, cookies['_session_id']
    end
  end
  # THIS DOESN'T PASS:
  def test_prevents_session_fixation
    with_test_route_set do
      get '/set_session_value'
      assert_response :success
      assert_equal nil, cookies['_session_id']
    end
  end
  

• 

  Rizwan Reza February 12th, 2010 @ 12:46 PM

  • Tag changed from “action_controller, bug, bugmash, memcachestore, patch, session-fixation, sessions” to “action_controller, bug, memcachestore, patch, session-fixation, sessions”

  [bulk edit]

• You flagged this item as spam.
  

  Lucas Willett October 15th, 2010 @ 03:17 AM

  • Importance changed from “” to “”

  The patch from @elad no longer applies cleanly to 2-3-stable or master. Given that this issue has existed for some 13 months now, is this issue still relevant?

• 

  Santiago Pastorino February 2nd, 2011 @ 04:21 PM

  • State changed from “new” to “open”

  This issue has been automatically marked as stale because it has not been commented on for at least three months.

  The resources of the Rails core team are limited, and so we are asking for your help. If you can still reproduce this error on the 3-0-stable branch or on master, please reply with all of the information you have about it and add "[state:open]" to your comment. This will reopen the ticket for review. Likewise, if you feel that this is a very important feature for Rails to include, please reply with your explanation so we can consider it.

  Thank you for all your contributions, and we hope you will understand this step to focus our efforts where they are most helpful.

• 

  Santiago Pastorino February 2nd, 2011 @ 04:21 PM

  • State changed from “open” to “stale”

• You flagged this item as spam.
  

  Aaron Gibralter February 14th, 2011 @ 02:50 PM

  So I just took another look at this.

  def test_prevents_session_fixation
    with_test_route_set do
      get '/get_session_value'
      assert_response :success
      assert_equal 'foo: nil', response.body
      session_id = cookies['_session_id']
  
      reset!
  
      get '/set_session_value', :_session_id => session_id
      assert_response :success
      assert_not_equal session_id, cookies['_session_id']
    end
  end
  

  Basically, Rails's session fixation protection is that it doesn't accept a session_id as a parameter (by default -- if you pass the session option cookie_only: false session fixation can be a problem). What I was confused about in this test is the part before reset!, but now I guess it makes sense: it's just generating a "valid" session_id.

  Please close this ticket.