Re: [Ruby on Rails] Move away from CookieStore if you care about your users and their security. Here is a technical explanation why.

[joernchen <joernchen () phenoelit de>]

Hi,

On Tue, Sep 24, 2013 at 09:30:58PM -0400, G. S. McNamara wrote:
> Ruby on Rails Web applications versions 2.0 through 4.0 are by default
> vulnerable to an oft-overlooked Web application security issue: Session
> cookies are valid for life.* A malicious user could use the stolen cookie
> from any authenticated request by the user to log in as them at any point
> in the future.

There are other fun things which might happen, imagine App_A and App_B
which share the same codebase (let's just imagine two instances of a
some kind of appliance with a RoR Web frontend). If the vendor has not
taken care to generate a unique cookie-signing secret for each appliance 
you could just log into your appliance (App_A) and reuse the token on 
App_B yielding a session with the same userId on App_B. 

This however relies on a mechanism like "authenticated_system" which
just puts your userId in the session cookie.


cheers,

joernchen
-- 
joernchen ~ Phenoelit
<joernchen () phenoelit de> ~ C776 3F67 7B95 03BF 5344
http://www.phenoelit.de  ~ A46A 7199 8B7B 756A F5AC

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/