Forum: Ruby on Rails RE: understanding session fixation attacks

Announcement (2017-05-07): is now read-only since I unfortunately do not have the time to support and maintain the forum any more. Please see and for other Rails- und Ruby-related community platforms.
Tom F. (Guest)
on 2005-12-26 00:19
(Received via mailing list)
If the attacker guesses wrong, the session won't be found in the session
store and a new session will be generated.   This is exactly the same
case as when a user uses a session ID that is old and has been deleted
from the session store by your session store clean up process.

Do you just want to track when a session ID is invalid, or do you want
to stop the generation of new sessions?


From: Onur T. [mailto:removed_email_address@domain.invalid]
Sent: Sunday, December 25, 2005 3:26 AM
To: removed_email_address@domain.invalid
Subject: [Rails] understanding session fixation attacks

is there a way that, our application can understand wheteher the session
id sent from the browser is forged or created by rails? I understand
that if the attacker guesses session id, theres nothing we can do about
it; but can we understand if he/she is trying to guess by creating
random session ids.
Onur T. (Guest)
on 2005-12-26 14:51
(Received via mailing list)
yeah your suggestion works. whenever a session id is forged, it's
refused and a new session is generated. thus I can compare internal
session id with the cookie one and understand the forging.

I was in doubt whether rails will generate a new session based on
forged id; the answer is no.
This topic is locked and can not be replied to.