#2173 Security: reset_session doesn't work under some conditions (session fixation possible) - Ruby on Rails

Type	To find
responsible:me	tickets assigned to you
tagged:"@high"	tickets tagged @high
milestone:next	tickets in the upcoming milestone
state:invalid	tickets with the state invalid
created:"last week"	tickets created last week
sort:number, importance, updated	tickets sorted by #, importance or updated
Combine keywords for powerful searching.
Use advanced searching »

This project is archived and is in readonly mode.

#2173 ✓resolved

Security: reset_session doesn't work under some conditions (session fixation possible)

Reported by Pawel | March 8th, 2009 @ 05:32 PM | in 2.x

Hello,

As Rails 2.3 is not stable yet I think it won't hurt anyone if I publish this security related bug as a public ticket.

This bug is similiar to #1601.

Using ActiveRecord session store and setting session variables after invoking reset_session causes session id to not change. It is common to reset session, and then set authentication related variables in session to prevent session fixation. Under ActiveRecord store this attack is not prevented.

Example controller code:


  def authenticate
    session[:lazy_load_to_get_id]
    old_session_id = request.session_options[:id]
    reset_session # standard way to prevent session fixation
    session[:old_session_id] = old_session_id
    redirect_to :action => 'privileged_action'
  end

  def privileged_action
    if session[:old_session_id] == request.session_options[:id]
      render :text => 'Hey, session fixation is possible!'
    else
      render :text => 'Looks ok'
    end
  end

CookieStore handles this scenario correctly.

Tested on 2.3-rc2 and edge rails (revision 9b8cde41bc84466bf60fc4de6af54dbeb11cc0d6).

Comments and changes to this ticket

Pratik March 8th, 2009 @ 06:05 PM
- Assigned user set to “josh”
Repository March 10th, 2009 @ 03:46 AM
(from [224a534400fd622dda57058d1eed349b8375e5e3]) reset_session should force a new session id to be generated [#2173] http://github.com/rails/rails/co...
josh March 10th, 2009 @ 03:47 AM
- State changed from “new” to “resolved”

Create your profile

Help contribute to this project by taking a few moments to create your personal profile. Create your profile »

<h2 style="font-size: 14px">Tickets have moved to Github</h2>

The new ticket tracker is available at <a href="https://github.com/rails/rails/issues">https://github.com/rails/rails/issues</a>

Shared Ticket Bins (Sort)

↓↑ drag 455 Open Bugs
↓↑ drag 0 Recent Open Tickets
↓↑ drag 87 Open Patches
↓↑ drag 0 Open Doc Patches
↓↑ drag 542 Stale Tickets
↓↑ drag 3 Verified Patches
↓↑ drag 87 Stale Patches
↓↑ drag 0 Yesterday's Tickets
↓↑ drag 0 Two Days Ago
↓↑ drag 0 This Week
↓↑ drag 0 Last Week
↓↑ drag 7 Bugmash
↓↑ drag 0 Bugmash review queue
↓↑ drag 5 Rails 3 High Priority Tickets

People watching this ticket

Referenced by

2173 Security: reset_session doesn't work under some conditions (session fixation possible) (from [224a534400fd622dda57058d1eed349b8375e5e3]) reset_s...

Rails Ruby on Rails → 2.x