This project is archived and is in readonly mode.
Accepting session_id generated on the outside, when using MemCacheStore as SessionStorage
Reported by tmtysk | July 8th, 2008 @ 06:14 AM | in 2.x
In CGI::Session::MemCache,
When using MemCacheStore as SessionStorage, if we created invalid session_id on the outside and requested to rails-application including it, then, server accepts it and response Set-Cookie header including that session_id.
For example:
$ curl -I http://localhost:3000/?_sess=foobar
HTTP/1.1 200 Ok
Connection: close
Date: Tue, 08 Jul 2008 04:59:36 GMT
Set-Cookie: _sess=foobar; path=/
:(omit the rest)
This behavior might be misused by session fixation attacks.
Comments and changes to this ticket
-
tmtysk July 8th, 2008 @ 06:07 AM
- Title changed from “Accepting session_id generated on the outside using MemCacheStore” to “Accepting session_id generated on the outside, when using MemCacheStore as SessionStorage”
-
tmtysk July 8th, 2008 @ 06:10 AM
In CGI::Session::MemCache,
When using MemCacheStore as SessionStorage, if we created invalid session_id on the outside and requested to rails-application including it, then, server accepts it and response Set-Cookie header including that session_id.
For example:
$ curl -I http://localhost:3000/?_sess=foobar
HTTP/1.1 200 Ok
Connection: close
Date: Tue, 08 Jul 2008 04:59:36 GMT
Set-Cookie: _sess=foobar; path=/
:(omit the rest)
This behavior might be misused by session fixation attacks.
-
josh December 15th, 2008 @ 09:48 PM
- State changed from “new” to “wontfix”
The bigger concern would be how someone is injecting fake session data into your memcache server.
-
Kevin Menard June 8th, 2009 @ 07:37 PM
I managed to do this trivially by changing my session ID in my cookie.
-
Kevin Menard June 8th, 2009 @ 07:40 PM
Not sure what the comment is saying. The problem isn't the session data being stored, it's that bad cookies can overwriting existing sessions. This just blew up for us with user auth where an issue with session ID generation caused multiple users to have cookies with the same session ID. Deleting the entry out of memcache was not a sufficient fix, because on the next request a session would be dutifully created based on the ID stored in the (now defunct) cookie.
-
Aaron Gibralter September 18th, 2009 @ 10:31 PM
- Tag changed from “actionpack, patch, session, session-fixation” to “actionpack, bug, patch, session, session-fixation”
Has anyone thought about this lately? I opened 3134
Create your profile
Help contribute to this project by taking a few moments to create your personal profile. Create your profile »
<h2 style="font-size: 14px">Tickets have moved to Github</h2>
The new ticket tracker is available at <a href="https://github.com/rails/rails/issues">https://github.com/rails/rails/issues</a>
People watching this ticket
tmtysk
Attachments
Referenced by
-
3134
MemCacheStore allows for arbitrary client generated session_ids?
I saw ticket #571... didn't seem to answer the question
t...
-
3134
MemCacheStore allows for arbitrary client generated session_ids?
I think it's definitely something to worry about. We had
...