RE: understanding session fixation attacks


#1

If the attacker guesses wrong, the session won’t be found in the session
store and a new session will be generated. This is exactly the same
case as when a user uses a session ID that is old and has been deleted
from the session store by your session store clean up process.

Do you just want to track when a session ID is invalid, or do you want
to stop the generation of new sessions?


From: Onur T. [mailto:removed_email_address@domain.invalid]
Sent: Sunday, December 25, 2005 3:26 AM
To: removed_email_address@domain.invalid
Subject: [Rails] understanding session fixation attacks

is there a way that, our application can understand wheteher the session
id sent from the browser is forged or created by rails? I understand
that if the attacker guesses session id, theres nothing we can do about
it; but can we understand if he/she is trying to guess by creating
random session ids.


#2

yeah your suggestion works. whenever a session id is forged, it’s
refused and a new session is generated. thus I can compare internal
session id with the cookie one and understand the forging.

I was in doubt whether rails will generate a new session based on
forged id; the answer is no.