Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

session hijack #5348

Closed
surajit opened this issue Feb 17, 2021 · 6 comments
Closed

session hijack #5348

surajit opened this issue Feb 17, 2021 · 6 comments

Comments

@surajit
Copy link

surajit commented Feb 17, 2021

Environment

  • Ruby [ruby 2.7.1p83 (2020-03-31 revision a0c7c23c9c) [x86_64-linux]
    ]
  • Rails [5.2.4.4]
  • Devise [4.7.3]

Current behavior

As a user after login session is generated, cookies also set as (_session id). I copy the session id and after logout I was trying to call with copy old session id using CURL command I can able to access the logged in view content, though it should not be.
In my application, inside config/environments/production.rb file force_ssl :true option already open. I was trying to follow the below "Railscasts video"( https://www.youtube.com/watch?v=FVo3d4GgdqU&t=200s)

Expected behavior

It should restricted the user to access with older session id as the user already logout from server. But the issue still remain. Using old session id anyone can access the logged in view.
What will be the solution here?
@rafaelfranca
Copy link
Collaborator

The solution is to not use cookies to store the session. Use an external database like mysql or redis. What you are describing is session replay and it is explained here.

@paul-mesnilgrente
Copy link

I am not sure to understand why you say that the solution is to not use cookies. The rails documentation says:

The most effective countermeasure is to issue a new session identifier and declare the old one invalid after a successful login. That way, an attacker cannot use the fixed session identifier. This is a good countermeasure against session hijacking, as well. Here is how to create a new session in Rails: reset_session

And also:

If you use the popular Devise gem for user management, it will automatically expire sessions on sign in and sign out for you.

From my point of view, if you call reset_session on logout, then all sessions should be invalidated and a session replay shouldn't be possible. Or maybe I am misunderstanding how the session replay works?

@rafaelfranca
Copy link
Collaborator

reset_session can only access the session in one browser, not in all of them, so there is no way for that to invalidate other existing valid cookies.

@paul-mesnilgrente
Copy link

Oh I understand now. The thing is that I thought that the session hash in the cookies could be invalidated somehow. But it can't as there's nothing to check it upon. Is that the problem?

When we use a DB, we can check the session_id the cookies against the one in the DB. So when the user logs out, we can update session_id in DB which is invalidating anything else.

@rafaelfranca
Copy link
Collaborator

You got it right.

Closed
@patleb
Copy link

patleb commented Sep 6, 2022

Please see my comment here.

@gmq gmq mentioned this issue May 22, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@surajit @carlosantoniodasilva @rafaelfranca @paul-mesnilgrente @patleb