This project is archived and is in readonly mode.

#3238 ✓stale
Aaron Gibralter

mem_cache_store_test has flawed test

Reported by Aaron Gibralter | September 20th, 2009 @ 08:07 PM

So I was poking around mem_cache_store_test and noticed that test_prevents_session_fixation passes in both these cases:

  def test_prevents_session_fixation
    with_test_route_set do
      get '/get_session_value'
      assert_response :success
      assert_equal 'foo: nil', response.body
      session_id = cookies['_session_id']
      
      reset!
      
      get '/set_session_value', :_session_id => session_id
      assert_response :success
      assert_equal nil, cookies['_session_id']
    end
  end

AND

  def test_prevents_session_fixation
    with_test_route_set do
      get '/get_session_value'
      assert_response :success
      assert_equal 'foo: nil', response.body
      session_id = cookies['_session_id']
      
      reset!
      
      get '/set_session_value'
      assert_response :success
      assert_equal nil, cookies['_session_id']
    end
  end

(notice the missing :_session_id => session_id in the second)... This just seems to suggest that reset! is doing something to prevent session fixation. From my experience, MemCacheStore allows session fixation (i.e. the client can set their own session_id if they want to).

If I'm mistaken, can anyone explain how this test is actually showing that MemCacheStore's implementation prevents session-fixation?

Thanks!

Comments and changes to this ticket

  • Aaron Gibralter

    Aaron Gibralter September 20th, 2009 @ 08:51 PM

    • Tag changed from action_controller, bug, memcachestore, session-fixation, sessions to action_controller, bug, memcachestore, patch, session-fixation, sessions

    Alright, I've created a patch for this and ticket #3134.

  • CancelProfileIsBroken

    CancelProfileIsBroken September 25th, 2009 @ 11:57 AM

    • Tag changed from action_controller, bug, memcachestore, patch, session-fixation, sessions to action_controller, bug, bugmash, memcachestore, patch, session-fixation, sessions
  • Blue Box Chris

    Blue Box Chris September 27th, 2009 @ 12:13 AM

    Unable to run this on a fresh check out.

    error: actionpack/lib/action_controller/session/mem_cache_store.rb: does not exist in index
    error: actionpack/test/controller/session/mem_cache_store_test.rb: does not exist in index
    Patch failed at 0001.
    When you have resolved this problem run "git-am --resolved".
    If you would prefer to skip this patch, instead run

  • Elad Meidar

    Elad Meidar September 27th, 2009 @ 12:54 AM

    @Aaron: Correct me if i'm wrong, but if assert_equal nil, cookies['_session_id'] is passing on both cases, it means that the session_id is not affected by sending a param named _session_id and remains as nil... not sure i see the problem or exactly what is so disturbing around here, care to elaborate some more?

    -1 on the patch though, applies on 2-3-stable only and not on master, iv'e added a patch for master too.

  • Blue Box Stephen

    Blue Box Stephen September 27th, 2009 @ 02:50 AM

    +1 on Elad's patch. applies and passes here.

  • John Pignata

    John Pignata September 27th, 2009 @ 03:19 AM

    +1 verified patch applies and tests pass

  • Aaron Gibralter

    Aaron Gibralter September 28th, 2009 @ 04:42 AM

    Yeah sorry, forgot to say that the patch was for 2-3-stable. The master branch has a new actionpack directory structure... Is there a way to submit a patch for multiple branches? Or should patches always be for master?

    @Elad: Ah, so it's just showing that cookie_only is being enforced... kk I get it.

  • Aaron Gibralter

    Aaron Gibralter October 1st, 2009 @ 07:23 PM

    @Elad: Actually, why does assert_equal nil, cookies['session_id'] pass? The test seems like it's trying to show that the session store ignores the URL param :session_id => session_id; however, shouldn't get '/set_session_value' set a cookie regardless of the params you pass in??

    I do think the test is broken because it seems that reset! is causing the get '/set_session_value' to not set a cookie... See these examples:

    # THIS PASSES:
    def test_prevents_session_fixation
      with_test_route_set do
        reset!
        get '/set_session_value'
        assert_response :success
        assert_equal nil, cookies['_session_id']
      end
    end
    # THIS DOESN'T PASS:
    def test_prevents_session_fixation
      with_test_route_set do
        get '/set_session_value'
        assert_response :success
        assert_equal nil, cookies['_session_id']
      end
    end
    
  • Rizwan Reza

    Rizwan Reza February 12th, 2010 @ 12:46 PM

    • Tag changed from action_controller, bug, bugmash, memcachestore, patch, session-fixation, sessions to action_controller, bug, memcachestore, patch, session-fixation, sessions
  • Lucas Willett

    Lucas Willett October 15th, 2010 @ 03:17 AM

    • Importance changed from “” to “”

    The patch from @elad no longer applies cleanly to 2-3-stable or master. Given that this issue has existed for some 13 months now, is this issue still relevant?

  • Santiago Pastorino

    Santiago Pastorino February 2nd, 2011 @ 04:21 PM

    • State changed from “new” to “open”

    This issue has been automatically marked as stale because it has not been commented on for at least three months.

    The resources of the Rails core team are limited, and so we are asking for your help. If you can still reproduce this error on the 3-0-stable branch or on master, please reply with all of the information you have about it and add "[state:open]" to your comment. This will reopen the ticket for review. Likewise, if you feel that this is a very important feature for Rails to include, please reply with your explanation so we can consider it.

    Thank you for all your contributions, and we hope you will understand this step to focus our efforts where they are most helpful.

  • Santiago Pastorino

    Santiago Pastorino February 2nd, 2011 @ 04:21 PM

    • State changed from “open” to “stale”
  • Aaron Gibralter

    Aaron Gibralter February 14th, 2011 @ 02:50 PM

    So I just took another look at this.

    def test_prevents_session_fixation
      with_test_route_set do
        get '/get_session_value'
        assert_response :success
        assert_equal 'foo: nil', response.body
        session_id = cookies['_session_id']
    
        reset!
    
        get '/set_session_value', :_session_id => session_id
        assert_response :success
        assert_not_equal session_id, cookies['_session_id']
      end
    end
    

    Basically, Rails's session fixation protection is that it doesn't accept a session_id as a parameter (by default -- if you pass the session option cookie_only: false session fixation can be a problem). What I was confused about in this test is the part before reset!, but now I guess it makes sense: it's just generating a "valid" session_id.

    Please close this ticket.

Create your profile

Help contribute to this project by taking a few moments to create your personal profile. Create your profile »

<h2 style="font-size: 14px">Tickets have moved to Github</h2>

The new ticket tracker is available at <a href="https://github.com/rails/rails/issues">https://github.com/rails/rails/issues</a>

People watching this ticket

Pages