Inadvertent Session Hijacking Issue With Restful Authentication

StackOverflow https://stackoverflow.com/questions/145169

Question

I'm using the current version of restful_authentication that is found on github and I'm having a bunch of strange session issues. The server seems to be somehow assigning sessions to users it shouldn't be. This only happens when crossing the logged out/logged in barrier.

Here's an example. With no sessions active on the server, I log in to an account with user A. On another machine, I log in with user B. Then when logging out of user B, sometime after the logout redirect happens, I will be logged in as user A. From this point, I can continue to navigate the site as if I had logged in as that user! Something I've observed via the logs is that when this hijack happens, the session IDs are not the same. User A is logged in in both sessions, but the session ID's are completely different. This is just one example of what might happen. I can't reproduce the issue reliably as it is seemingly random.

It doesn't seem to be a symptom of the environment or the server it's running on. I can reproduce the problem using both mongrel and passenger. I've also seen it in development and production. I am using db-based sessions in this application and it is running on Rails 2.1.1. I applied the stateful option when calling the generator. Otherwise no other modifications have been made to how sessions are handled.

Update Here is the offending method which came directly from restful_authentication.

# Accesses the current user from the session.
# Future calls avoid the database because nil is not equal to false.
def current_user
  @current_user ||= (login_from_session || login_from_basic_auth || login_from_cookie) unless @current_user == false
end
Was it helpful?

Solution 2

I don't know if this is so much of an answer as it is a work around. All I did was switch over to cookie based sessions and everything is working smoothly.

OTHER TIPS

This can happen if you (or those who wrote restful_authentication) are caching the current user in a class variable. I've seen a bunch of articles advocating the use of "User.current_user", but since classes are cached across requests, this can cause session tainting.

Is this site remote? Are you logging into it onto two separate computers on the same network?

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top