{var%20f='http://v.t.sina.com.cn/share/share.php?appkey=1515056452',u=z||d.location,p=['&url=',e(u),'&title=',e(t||d.title),'&source=',e(r),'&sourceUrl=',e(l),'&content=',c||'gb2312','&pic=',e(p||'')].join('');function%20a(){if(!window.open([f,p].join(''),'mb',['toolbar=0,status=0,resizable=1,width=440,height=430,left=',(s.width-440)/2,',top=',(s.height-430)/2].join('')))u.href=[f,p].join('');};if(/Firefox/.test(navigator.userAgent))setTimeout(a,0);else%20a();})(screen,document,encodeURIComponent,'','','https://www.manongdao.com/data/attach/logo/logo.png', '推荐 聊天终结者 的问题《Rails 3 ActiveRecordStore session_id tampering》','https://www.manongdao.com/q-539574.html','页面编码gb2312|utf-8默认gb2312'));){kind=link}
I am co-developing a simple web app in Rails 3.0.9 and I have realized that there is a possible session_id tampering possible via malicious request. Mind the fact, that this is my first RoR application, so I could be totally wrong in my conceptions.
Current application functionality requires sessions so I turned to ActiveRecordStore session storage, installed it and started testing in primitive workflows. I noticed that Rails framework creates cookie with the name _session_id and value of some random hash-like string (in DB SESSION table this string corresponds to session_id column).
If that value in the cookie is changed, for example with Firebug, current session id changes to one provided with cookie's data (inspected with request.session_options[:id]), and the change is propagated to the database table, creating new session record with aforementioned parameters.
While this brings no implications on a variables of the session, the session id have deviated from its usual hash-like appearance to a user tampered one.
Here is the question - how this behavior can be detected or preferably prevented?
To answer your question, it is important to understand the mechanics of how the session-id is generated. (from the docs)
So the session ID is engineered to be cryptographically "hard" to guess. An attacker could change the session_id but the idea is that they could never guess a valid session.
Based on the above logic, if you lower your session expiration times, there will be considerably fewer "live" session_id's. Thus making it even harder for an attacker to randomly select a usable id.
The easiest way is to log all requests with invalid (not expired) session id's. If you see a considerable influx of such requests, someone is probably attempting to acquire a session that is not their own.