Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Security of Rails authentication with session[:user_id]

I've noticed a lot of Rails authentication tutorials store the user ID in session[:user_id] to remember the user and authenticate them. Assuming there is somewhere in the app that user_ids are exposed publicly (URLs, property on an HTML attribute, etc.), isn't this insecure since I could just edit my session cookie to use someone else's user_id? Am I missing something here?

like image 603
Sam Grossberg Avatar asked Apr 27 '12 15:04

Sam Grossberg


2 Answers

According to the Rails Security Guide: "To prevent session hash tampering, a digest is calculated from the session with a server-side secret and inserted into the end of the cookie."

So it looks like the Session can be presumed to be safe from the user tampering with it (assuming our server side secret is kept safe). However, a user still can read anything in the session hash, so we wouldn't want to store sensitive information.

like image 106
Sam Grossberg Avatar answered Oct 09 '22 05:10

Sam Grossberg


The cookie tends to not contain the user_id, it contains the session key, which is essentially a random, meaning-free string of characters. The session is stored on the server (in the database, or memcached, or a nosql store like redis etc), and the session holds the user id.

So, the session record (serverside only) for a given user might contain this data:

key:  asoiuoi09u23uo8789289askho2
user_id: 1234

And the cookie (client side) holds the session key, so the cookie looks like this:

name: somecookiename
site: www.yoursite.com
content: asoiuoi09u23uo8789289askho2

So, to access someone else's session you would need to get hold of their session key. This is by no means impossible (see session-sniffing) but is made much harder by the use of https (which in turn require SSL certs).

like image 28
Max Williams Avatar answered Oct 09 '22 06:10

Max Williams