This project is archived and is in readonly mode.

#2177 ✓stale

Unneccessary session loading/creation in form_authenticity_token

Reported by Pawel | March 9th, 2009 @ 11:10 AM | in 3.x

This is the current implementation of form_authenticity_token:

def form_authenticity_token
  session[:_csrf_token] ||= ActiveSupport::SecureRandom.base64(32)

The problem with it:

When user doesn't have a session and visits page with form protected from request forgery Rails automatically create new session for him just to store csrf_token. When user has a session cookie and visits page with form, Rails loads the session just to retrieve csrf_token, even if the session is not used entirely in the given action.

In applications with main functionality accessible after login the session can be used only in actions for logged, trusted users. This design protect against DoS against session store (when something else than cookie store is being used) as not logged attackers won't be able to create and even load the session.

My idea is to introduce two changes to make form_authenticity_token not create or load the session:

  1. Create method to get session id without loading the session itself. Except cookie store it is as easy as getting session id from cookie. In cookie store it should be acceptable to load the session to get id as it doesn't cost much.
  2. Modify form_authenticity_token to return HMAC(session_id, server_side_secret). Yup, code changed by this nice commit needs to be changed once again. HMAC is to make it impossible for attacker to obtain session id from forgery protection token (as it is easier for him to obtain token than session). Secret is safely stored on server so session id will be secure.

Note: when session cookie is not set in the browser, getting session id would require setting this cookie. This is side effect, but it is already present in Rails -- loading the session (to get session id) automatically sets the cookie.

Comments and changes to this ticket

  • foospam (at o2)

    foospam (at o2) March 15th, 2009 @ 08:13 PM

    +1 for me. I'm using ActiveRecord session store and my db would be gratefull to see less session related hits.

  • Matthew Beale

    Matthew Beale May 19th, 2009 @ 10:27 PM

    Also, ActiveSupport::SecureRandom.base64(32) is spitting out strings with spaces in them. The spaces are converted to + in params manipulation so there are intermittent InvalidAuthTokens.

    Have you guys seen this?

  • coffeeaddict_nl

    coffeeaddict_nl December 10th, 2009 @ 07:07 AM

    +1 for me 2! I have seen the intermittent InvalidAuthToken messages (mainly IE6). { Still can't figure out why Rails still uses base64 when hex is also available on the same module }

    I am all for the proposed method of using hmac for the authenticitytoken as it will prevent those errors and seems more secure then the current random value, but I fail to see how one can protect the session store against DoS with it if you need a session ID.

    If an antagonist where to make 1000 fresh requests, you will have 1000 sessions created. In a DDoS that will swamp your mysql server in no time - seems like a non fix on that end 2 me

  • Jeremy Kemper

    Jeremy Kemper May 4th, 2010 @ 06:48 PM

    • Milestone changed from 2.x to 3.x
  • Santiago Pastorino

    Santiago Pastorino February 2nd, 2011 @ 04:53 PM

    • State changed from “new” to “open”
    • Importance changed from “” to “”

    This issue has been automatically marked as stale because it has not been commented on for at least three months.

    The resources of the Rails core team are limited, and so we are asking for your help. If you can still reproduce this error on the 3-0-stable branch or on master, please reply with all of the information you have about it and add "[state:open]" to your comment. This will reopen the ticket for review. Likewise, if you feel that this is a very important feature for Rails to include, please reply with your explanation so we can consider it.

    Thank you for all your contributions, and we hope you will understand this step to focus our efforts where they are most helpful.

  • Santiago Pastorino

    Santiago Pastorino February 2nd, 2011 @ 04:53 PM

    • State changed from “open” to “stale”

Create your profile

Help contribute to this project by taking a few moments to create your personal profile. Create your profile »

<h2 style="font-size: 14px">Tickets have moved to Github</h2>

The new ticket tracker is available at <a href=""></a>

Referenced by