Camping 2.0 - What's left?

Bluebie, Jenna blueberry at creativepony.com
Sun May 25 02:00:49 EDT 2008 

No, that isn't a problem. The cookie contains a marshaled string of  
the @store variable, but it also has after it a ':' and then an SHA256  
hash of the marshaled string combined with a secret value the user  
needs to set in their controller with something like:

@@state_secret = "secret thingy here"

Unfortunately, it is totally insecure if that isn't set, and I guess  
we should raise an error in that case, or maybe just make a random  
value, though that would cause problems in servers using multiple  
running copies of ruby, and in CGI, cluster server systems, and so on.  
Ideally I wanted to make the fallback string be the source code for  
the main app file, which I figured would be unique enough and secret  
enough in most situations, but couldn't figure out how from the  
context of a module.

Rails gets around this issue by having a 'generator' which includes a  
random code at the time of app creation hard coded in, and ships with  
cookie sessions as the default session store for convenience. The  
rails implementation is a bit more complex in that it can span the  
session data over multiple cookies if it won't fit in just one. I  
personally think if app developers are trying to stuff more than 4k of  
stuff in a session they should get errors anyway to teach them that  
it's not appropriate, regardless of the storage system.

Anyway, if the attacker doesn't know the value of @state_secret, and  
the hashing algorithm in use isn't broken, changing any character in  
the cookie will cause it to be ignored and a new session created. They  
could brute force it, but SHA256 has a pretty decent hash length and  
that would take some serious time.

It's much the same concept as 'signing' used in various other systems.  
In this case instead of an expensive encryption certificate as the  
secret, we have a made up string.


—
Jenna

On 25/05/2008, at 1:43 PM, _why wrote:

> On Sun, May 25, 2008 at 12:25:08AM +0200, Magnus Holm wrote:
>> * The cookie session is named Camping::Session and is placed in
>> camping/session.rb. Maybe this should be called  
>> Camping::CookieSession or???
>
> You know, these cookie sessions seem like they could be a problem.
> A lot of sessions would contain just the hash and the user name.
> So, spoof the user name and you're in, you know?
>
> _why
> _______________________________________________
> Camping-list mailing list
> Camping-list at rubyforge.org
> http://rubyforge.org/mailman/listinfo/camping-list

More information about the Camping-list mailing list