Forum: Ruby on Rails RE: understanding session fixation attacks

Announcement (2017-05-07): www.ruby-forum.com is now read-only since I unfortunately do not have the time to support and maintain the forum any more. Please see rubyonrails.org/community and ruby-lang.org/en/community for other Rails- und Ruby-related community platforms.
F01c3ff32fee35d911e81c172a005012?d=identicon&s=25 Tom Fakes (Guest)
on 2005-12-25 23:19
(Received via mailing list)
If the attacker guesses wrong, the session won't be found in the session
store and a new session will be generated.   This is exactly the same
case as when a user uses a session ID that is old and has been deleted
from the session store by your session store clean up process.



Do you just want to track when a session ID is invalid, or do you want
to stop the generation of new sessions?



________________________________

From: Onur Turgay [mailto:onurturgay@gmail.com]
Sent: Sunday, December 25, 2005 3:26 AM
To: rails@lists.rubyonrails.org
Subject: [Rails] understanding session fixation attacks



is there a way that, our application can understand wheteher the session
id sent from the browser is forged or created by rails? I understand
that if the attacker guesses session id, theres nothing we can do about
it; but can we understand if he/she is trying to guess by creating
random session ids.
043efdc2a79afbfec84696f50fd42163?d=identicon&s=25 Onur Turgay (Guest)
on 2005-12-26 13:51
(Received via mailing list)
yeah your suggestion works. whenever a session id is forged, it's
refused and a new session is generated. thus I can compare internal
session id with the cookie one and understand the forging.

I was in doubt whether rails will generate a new session based on
forged id; the answer is no.
This topic is locked and can not be replied to.