Stopping Session Sharing between malicious users in Rails

views:

312

answers:

+4 Q:

Stopping Session Sharing between malicious users in Rails

What's the best way to keep users from sharing session cookies in Rails?

I think I have a good way to do it, but I'd like to run it by the stack overflow crowd to see if there's a simpler way first.

Basically I'd like to detect if someone tries to share a paid membership with others. Users are already screened at the point of login for logging in from too many different subnets, but some have tried to work around this by sharing session cookies. What's the best way to do this without tying sessions to IPs (lots of legitimate people use rotating proxies).

The best heuristic I've found is the # of Class B subnets / Time (some ISPs use rotating proxies on different Class Cs). This has generated the fewest # of false positives for us so I'd like to stick with this method.

Right now I'm thinking of applying a before filter for each request that keeps track of which Subnets and session_ids a user has used in memcached and applies the heuristic to that to determine if the cookie is being shared.

Any simpler / easier to implement ideas? Any existing plugins that do this?

+1 A:

One way I can think of would be to set the same random value in both the session and a cookie with every page refresh. Check the two to make sure they are the same. If someone shares their session, the cookie and session will get out of sync.

Jesse Weigert 2009-08-21 06:22:23

That's a great idea. Question, could this cause race conditions in the wild? As in, if someone middle clicks on a bunch of links to open em in tabs do you think the sequence could get messed up and give a false positive?At any rate, I wound up just implementing it the way I proposed this afternoon since I needed to get it finished.

Andrew Cholakian 2009-08-21 07:43:51

+1 A:

You could tie the session information to browser information. If people are coming in from 3 or 4 different browser types within a certain time period, you can infer that something suspicious may be going on.

An alternative answer relies on a bit of social-engineering. If you have some heuristic that you trust, you can warn users (at the top of the page) that you suspect they are sharing their account and that they are being watched closely. A "contact us" link in the warning would allow legitimate users to explain themselves (and thus be permanently de-flagged). This may minimize the problem enough to take it off your radar.

Ron Gejman 2009-08-21 07:30:38

Ron,Thanks for the response, I picked yours over Jesse's because I'm worried about possible race conditions in his method. I unfortunately already implemented a subnet based method, but if that has any issues this is next on the list.

Andrew Cholakian 2009-08-22 14:33:56

Glad it works for you. Just out of curiosity, are you going to outright ban people you suspect, or warn them in some manner similar to the one I suggested?

Ron Gejman 2009-08-22 16:46:08

Well, they're paying customers, so we kill all the active sessions, and upon next login make them change their password (after proving their identity via payment info) and explain the situation. I doubt we'll implement a permanent de-flag however, we're using the same heuristic we use at the point of login and we haven't any issues requiring permanent de-flagging yet.

Andrew Cholakian 2009-08-24 04:50:44

ansaurus

tags:

views:

answers:

Stopping Session Sharing between malicious users in Rails

related questions