This project is archived and is in readonly mode.
ActiveRecord::SessionStore allows blank session_id
Reported by phan | March 2nd, 2010 @ 12:39 PM | in 3.0.6
ActiveRecord::SessionStore::Session does not check for empty session_id value. So when cookie_only = false and passing in empty session_key value, a session with empty session_id can be saved into db.
The problematic code seems to be in AbstractStore
def load_session(env)
request = Rack::Request.new(env)
sid = request.cookies[@key]
unless @cookie_only
sid ||= request.params[@key]
end
sid, session = get_session(env, sid)
[sid, session]
end
and in ActiveRecord::SessionStore
def find_session(id)
@@session_class.find_by_session_id(id) ||
@@session_class.new(:session_id => id, :data => {})
end
None of these check for empty value sid.
Comments and changes to this ticket
-
Yehuda Katz (wycats) March 29th, 2010 @ 01:08 AM
- State changed from “new” to “incomplete”
- Tag set to “question”
- Assigned user set to “Yehuda Katz (wycats)”
- Milestone cleared.
What's the case where the user unintentionally passes in an empty session ID?
-
phan March 29th, 2010 @ 01:14 AM
If the user unintentionally pass in a empty session ID, I would think, we'd have to generate one for them. Otherwise if two users * unintentionally* passing empty session ids, they are gonna share a session object therefore a security risk.
-
Dan Pickett May 15th, 2010 @ 02:00 AM
- Tag changed from “question” to “bugmash, question”
Can someone write a failing test case to verify this behavior? Patches welcome as well, of course!
-
Anil Wadghule May 15th, 2010 @ 10:27 AM
not reproducible
I have added following lines in session_store.rb
Rails.application.config.session_store :active_record_store, :cookie_only => false, :key => nil
Attached is a rails app showing it is not reproducible. Hit multiple requests to http://localhost:3000/ (with multiple browsers). It never adds a record with session_id as nil / blank.
-
Rust/OGAWA May 25th, 2010 @ 08:31 AM
Attached patch is a test which should fail : a blank session_id is allowed.
-
-
Rust/OGAWA May 25th, 2010 @ 08:50 AM
In ActionController::Session::AbstractStore, session_id is regenerated if it is nil. However, session_id is null string(""), it is not regenereted.
Threfore, if session_id is null string, AbstractStore runs the code like ActionController::Request#reset_session and regenerates session_id. And ActionController::Session::AbstractStore#load_session treats correctly if request.cookies[@key] is blank.
This patch for 2-3-stable is attached.
-
-
-
Ryan Bigg October 19th, 2010 @ 08:34 AM
- Tag cleared.
- Importance changed from “” to “Low”
Automatic cleanup of spam.
-
-
-
Santiago Pastorino February 27th, 2011 @ 03:15 AM
- Milestone changed from “3.0.5” to “3.0.6”
-
Create your profile
Help contribute to this project by taking a few moments to create your personal profile. Create your profile »
<h2 style="font-size: 14px">Tickets have moved to Github</h2>
The new ticket tracker is available at <a href="https://github.com/rails/rails/issues">https://github.com/rails/rails/issues</a>
Anil Wadghule
Dave Doolin
Jeremy Kemper
Rust/OGAWA
Ryan Bigg
Yehuda Katz (wycats)