views:

849

answers:

3

I'm using the current version of restful_authentication that is found on github and I'm having a bunch of strange session issues. The server seems to be somehow assigning sessions to users it shouldn't be. This only happens when crossing the logged out/logged in barrier.

Here's an example. With no sessions active on the server, I log in to an account with user A. On another machine, I log in with user B. Then when logging out of user B, sometime after the logout redirect happens, I will be logged in as user A. From this point, I can continue to navigate the site as if I had logged in as that user! Something I've observed via the logs is that when this hijack happens, the session IDs are not the same. User A is logged in in both sessions, but the session ID's are completely different. This is just one example of what might happen. I can't reproduce the issue reliably as it is seemingly random.

It doesn't seem to be a symptom of the environment or the server it's running on. I can reproduce the problem using both mongrel and passenger. I've also seen it in development and production. I am using db-based sessions in this application and it is running on Rails 2.1.1. I applied the stateful option when calling the generator. Otherwise no other modifications have been made to how sessions are handled.

Update Here is the offending method which came directly from restful_authentication.

# Accesses the current user from the session.
# Future calls avoid the database because nil is not equal to false.
def current_user
  @current_user ||= (login_from_session || login_from_basic_auth || login_from_cookie) unless @current_user == false
end
+2  A: 

This can happen if you (or those who wrote restful_authentication) are caching the current user in a class variable. I've seen a bunch of articles advocating the use of "User.current_user", but since classes are cached across requests, this can cause session tainting.

Nathan de Vries
This seems like a plausible answer, but I was still able to reproduce this hijacking behavior after removing the storage of the current_user object from storage in a cache variable.
Jared
A: 

Is this site remote? Are you logging into it onto two separate computers on the same network?

Ryan Bigg
I have it running both locally in development on my laptop and in production on my server. You are correct about the 2 accounts on the same network. I am doing this in separate browsers on separate machines though.
Jared
+1  A: 

I don't know if this is so much of an answer as it is a work around. All I did was switch over to cookie based sessions and everything is working smoothly.

Jared