If the attacker guesses wrong, the session won’t be found in the session
store and a new session will be generated. This is exactly the same
case as when a user uses a session ID that is old and has been deleted
from the session store by your session store clean up process.
Do you just want to track when a session ID is invalid, or do you want
to stop the generation of new sessions?
From: Onur T. [mailto:firstname.lastname@example.org]
Sent: Sunday, December 25, 2005 3:26 AM
Subject: [Rails] understanding session fixation attacks
is there a way that, our application can understand wheteher the session
id sent from the browser is forged or created by rails? I understand
that if the attacker guesses session id, theres nothing we can do about
it; but can we understand if he/she is trying to guess by creating
random session ids.