Johan Sørensen

The login generator and session fixation

Shugo has a post on a shortcoming of the Rails login generator. The post is in japanese and as usual automated translation services does a poor job with translating that to english. Although you don’t need to know japanese in order to understand the Ruby code there, I figured I’ll attempt to explain in short what happens.

This PDF gives a good introduction to the theories of session fixation based attacks. One of the common ways to at least some extent prevent these is to issue, or generate rather, a new session id (often in the shape of a MD5’ed string) when a user logs in.
The current version of the login generator doesn’t do this. But Shugo’s post has some code to show you how and it basically consist of resetting the session before inserting any data (a User object in the case of the login generator) into it upon login, which will generate a new session id.