If the attacker guesses wrong, the session won't be found in the session store and a new session will be generated. This is exactly the same case as when a user uses a session ID that is old and has been deleted from the session store by your session store clean up process. Do you just want to track when a session ID is invalid, or do you want to stop the generation of new sessions? ________________________________ From: Onur Turgay [mailto:firstname.lastname@example.org] Sent: Sunday, December 25, 2005 3:26 AM To: email@example.com Subject: [Rails] understanding session fixation attacks is there a way that, our application can understand wheteher the session id sent from the browser is forged or created by rails? I understand that if the attacker guesses session id, theres nothing we can do about it; but can we understand if he/she is trying to guess by creating random session ids.
on 2005-12-25 23:19
on 2005-12-26 13:51
yeah your suggestion works. whenever a session id is forged, it's refused and a new session is generated. thus I can compare internal session id with the cookie one and understand the forging. I was in doubt whether rails will generate a new session based on forged id; the answer is no.