Camping 2.0 - What's left?
blueberry at creativepony.com
Sun May 25 02:00:49 EDT 2008
No, that isn't a problem. The cookie contains a marshaled string of
the @store variable, but it also has after it a ':' and then an SHA256
hash of the marshaled string combined with a secret value the user
needs to set in their controller with something like:
@@state_secret = "secret thingy here"
Unfortunately, it is totally insecure if that isn't set, and I guess
we should raise an error in that case, or maybe just make a random
value, though that would cause problems in servers using multiple
running copies of ruby, and in CGI, cluster server systems, and so on.
Ideally I wanted to make the fallback string be the source code for
the main app file, which I figured would be unique enough and secret
enough in most situations, but couldn't figure out how from the
context of a module.
Rails gets around this issue by having a 'generator' which includes a
random code at the time of app creation hard coded in, and ships with
cookie sessions as the default session store for convenience. The
rails implementation is a bit more complex in that it can span the
session data over multiple cookies if it won't fit in just one. I
personally think if app developers are trying to stuff more than 4k of
stuff in a session they should get errors anyway to teach them that
it's not appropriate, regardless of the storage system.
Anyway, if the attacker doesn't know the value of @state_secret, and
the hashing algorithm in use isn't broken, changing any character in
the cookie will cause it to be ignored and a new session created. They
could brute force it, but SHA256 has a pretty decent hash length and
that would take some serious time.
It's much the same concept as 'signing' used in various other systems.
In this case instead of an expensive encryption certificate as the
secret, we have a made up string.
On 25/05/2008, at 1:43 PM, _why wrote:
> On Sun, May 25, 2008 at 12:25:08AM +0200, Magnus Holm wrote:
>> * The cookie session is named Camping::Session and is placed in
>> camping/session.rb. Maybe this should be called
>> Camping::CookieSession or???
> You know, these cookie sessions seem like they could be a problem.
> A lot of sessions would contain just the hash and the user name.
> So, spoof the user name and you're in, you know?
> Camping-list mailing list
> Camping-list at rubyforge.org
More information about the Camping-list