A security researcher has warned that all versions of Ruby on Rails from 2.0 through 4.0 suffer from a vulnerability that allows hackers to hijack user accounts through the use of session cookies.
Ruby on Rails uses CookieStore as its default session storage mechanism and this contains a user’s entire session hash on the client side in the form of a web browser cookie. No information about the session is stored in the ‘sessions’ database table on a log out event and this effectively makes the cookies valid for life.
G. S. McNamara, the researcher who discovered the flaw, explains that due to the lack data in the ‘sessions’ table, Rails issues a new “empty-ish cookie to the user’s browser in order to overwrite the one granted when the user originally authenticated”, and instructs the browser to use the new cookie from that point forward. The researcher notes that this mechanism is flawed as there is no way to invalidate the old cookie.
Some of the possible attacks that emanate because of such a scenario include session sidejacking, XSS, among others. The researcher advises developers to configure their apps such that they store most of the session information on the server side which would facilitate invalidation of session data on log out events.
McNamara notes that the issue is not present in cases where Ruby 4 is set to encrypt the value of the cookies. The researcher also suggests that Ruby should be configured to use ActiveRecordStore or some other mechanism listed under Sessions section of the Action Controller Overview of RailsGuides.
