Rails session protector
Due to last rumors, that session hijacking is now as easy as installing plugin for firefox (firesheep), we’ve created simple Rails plugin, that will help you protect your users. It’s basically a proof-of-concept, but it works very nice with Devise. Check it out on Github: session_protector.
Comments
This is a nice idea. It’s a little “security by obscurity” but would certainly make it a lot harder for the hordes using Firesheep to break in.
If I am a Man in the middle, it’s easy as pie to fake the user agent aswell. Also this plugin breaks a lot of apps for users behind NAT/Proxies that use multiple ip addresses (non sticky session round robin load balancing) e.g larger corporations, (3G) providers, universities.
Sorry to say, but this approach is broken by design.
Roland - well, checking for users IP may / should be configured per app and app requirements. But I don’t think, that checking for USER_AGENT changes is approach broken by design. If you have any other idea of how to protect unencrypted session, please share with me :)
the answer is simple: Use TLS all the f*cking time.
(or develop a one-time key that changes after each request and is computed by a seed, sent to the client over the initial ssl request. not sure if you could do this with javascript and the longer I think about it the worse I feel. Use SSL all the fucking time!)
Cute idea, but why the dependency on devise? Why not just destroy the session in the middleware if it looks to be hijacked?
Donald Ball – dependency on Devise because we’re waiting on something more awesome from you. Go, Donald go!
Post a comment