This project is archived and is in readonly mode.

#571 ✓wontfix
tmtysk

Accepting session_id generated on the outside, when using MemCacheStore as SessionStorage

Reported by tmtysk | July 8th, 2008 @ 06:14 AM | in 2.x

In CGI::Session::MemCache,

When using MemCacheStore as SessionStorage, if we created invalid session_id on the outside and requested to rails-application including it, then, server accepts it and response Set-Cookie header including that session_id.

For example:

$ curl -I http://localhost:3000/?_sess=foobar

HTTP/1.1 200 Ok

Connection: close

Date: Tue, 08 Jul 2008 04:59:36 GMT

Set-Cookie: _sess=foobar; path=/

:(omit the rest)

This behavior might be misused by session fixation attacks.

Comments and changes to this ticket

  • tmtysk

    tmtysk July 8th, 2008 @ 06:07 AM

    • Title changed from “Accepting session_id generated on the outside using MemCacheStore” to “Accepting session_id generated on the outside, when using MemCacheStore as SessionStorage”
  • tmtysk

    tmtysk July 8th, 2008 @ 06:10 AM

    In CGI::Session::MemCache,

    When using MemCacheStore as SessionStorage, if we created invalid session_id on the outside and requested to rails-application including it, then, server accepts it and response Set-Cookie header including that session_id.

    For example:

    $ curl -I http://localhost:3000/?_sess=foobar

    HTTP/1.1 200 Ok

    Connection: close

    Date: Tue, 08 Jul 2008 04:59:36 GMT

    Set-Cookie: _sess=foobar; path=/

    :(omit the rest)

    This behavior might be misused by session fixation attacks.

  • josh

    josh December 15th, 2008 @ 09:48 PM

    • State changed from “new” to “wontfix”

    The bigger concern would be how someone is injecting fake session data into your memcache server.

  • Kevin Menard

    Kevin Menard June 8th, 2009 @ 07:37 PM

    I managed to do this trivially by changing my session ID in my cookie.

  • Kevin Menard

    Kevin Menard June 8th, 2009 @ 07:40 PM

    Not sure what the comment is saying. The problem isn't the session data being stored, it's that bad cookies can overwriting existing sessions. This just blew up for us with user auth where an issue with session ID generation caused multiple users to have cookies with the same session ID. Deleting the entry out of memcache was not a sufficient fix, because on the next request a session would be dutifully created based on the ID stored in the (now defunct) cookie.

  • Aaron Gibralter

    Aaron Gibralter September 18th, 2009 @ 10:31 PM

    • Tag changed from actionpack, patch, session, session-fixation to actionpack, bug, patch, session, session-fixation

    Has anyone thought about this lately? I opened 3134

Create your profile

Help contribute to this project by taking a few moments to create your personal profile. Create your profile »

<h2 style="font-size: 14px">Tickets have moved to Github</h2>

The new ticket tracker is available at <a href="https://github.com/rails/rails/issues">https://github.com/rails/rails/issues</a>

People watching this ticket

Attachments

Referenced by

Pages