Full Disclosure mailing list archives
Re: [Ruby on Rails] Move away from CookieStore if you care about your users and their security. Here is a technical explanation why.
From: joernchen <joernchen () phenoelit de>
Date: Wed, 25 Sep 2013 11:50:37 +0200
Hi, On Tue, Sep 24, 2013 at 09:30:58PM -0400, G. S. McNamara wrote:
Ruby on Rails Web applications versions 2.0 through 4.0 are by default vulnerable to an oft-overlooked Web application security issue: Session cookies are valid for life.* A malicious user could use the stolen cookie from any authenticated request by the user to log in as them at any point in the future.
There are other fun things which might happen, imagine App_A and App_B which share the same codebase (let's just imagine two instances of a some kind of appliance with a RoR Web frontend). If the vendor has not taken care to generate a unique cookie-signing secret for each appliance you could just log into your appliance (App_A) and reuse the token on App_B yielding a session with the same userId on App_B. This however relies on a mechanism like "authenticated_system" which just puts your userId in the session cookie. cheers, joernchen -- joernchen ~ Phenoelit <joernchen () phenoelit de> ~ C776 3F67 7B95 03BF 5344 http://www.phenoelit.de ~ A46A 7199 8B7B 756A F5AC _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- [Ruby on Rails] Move away from CookieStore if you care about your users and their security. Here is a technical explanation why. G. S. McNamara (Sep 25)
- Re: [Ruby on Rails] Move away from CookieStore if you care about your users and their security. Here is a technical explanation why. joernchen (Sep 25)
- Re: [Ruby on Rails] Move away from CookieStore if you care about your users and their security. Here is a technical explanation why. Tim (Sep 25)