Empty session id leads to shared session + Fix

We recently encountered some users that had an empty sessionid and therefore where logged in as other users, to fix this (the reason why the ids where empty is still unknown….) we now forbid blank session ids.

# users with blank session id get logged in as other users / share session 
#-> forbid empty session ids
# TEST: set _session_id cookie to "" it should be removed/replaced
class ActionController::Session::AbstractStore
  def load_session_with_blank_id_protection(*args)
    id, data = load_session_without_blank_id_protection(*args)
    return [nil, {}] if id.blank?
    [id, data]
  end
  alias_method_chain :load_session, :blank_id_protection
end

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s