Forum: Rails-core (closed, excessive spam) Does cookie session store present a security vulnerability?

809cc47c51cafd2d20ff244dfcc17a37?d=identicon&s=25 Aamer (Guest)
on 2008-04-17 01:12
(Received via mailing list)
I was just having a discussion with some folks on #rails-contrib about
security vulnerabilities that the cookie session store could present.

My main concern is that if a hacker sniffs an http request and gets a
hold of the cookie, then the session is hijacked forever.  With the
server-side session stores, you would presumably expire sessions after
a certain period of inactivity, but with the cookie store, the
hijacker will continue to maintain control over a session if he/she
stays inactive.

This seems like a problem.  One solution that I had and others on the
channel suggested too was to put an expiration in the cookie data.  If
you put a UTC time for the when the cookie should expire, then an
inactive hacker will automatically have their hijacked session
destroyed.

The only issue I can see with this solution is the fact that you will
constantly have to send expiration updates to the cookie in every HTTP
response. I'm not sure how often Rails updates the cookie right now,
but if it doesn't do it on every HTTP response, then implementing this
solution could become a performance burden.

-Aamer (JTMarlin on Freenode)
This topic is locked and can not be replied to.