tags:

views:

22

answers:

1
+2  Q: 

Simple question about session...

I came across this example from Ruby's security page (http://guides.rubyonrails.org/security.html). It poses this scenario:

  • A user receives credits, the amount is stored in a session (which is a bad idea anyway, but we’ll do this for demonstration purposes).
  • The user buys something.
  • His new, lower credit will be stored in the session.
  • The dark side of the user forces him to take the cookie from the first step (which he copied) and replace the current cookie in the browser.
  • The user has his credit back.

I'm a little confused, as I always understood that the session cookie's value is merely an identifier for the server-controlled session state. This example is saying that the cookie's state controls the session's state and that states of session on the server are maintained over time.

Can someone explain this? Thanks.

+2  A: 

That's true for server-side sessions, however this example is from 2.6 Replay Attacks for CookieStore Sessions. CookieStore stores what would usually be persisted in a server-side session in the cookie, and therefore on the client which makes it vunerable to the replay attack in the example.

Danny Thomas  2010-09-02 12:24:28
OK, so then my understanding of regular session state is correct then? Thanks.
Ryan  2010-09-02 12:25:37
Yep, exactly right.
Danny Thomas  2010-09-02 12:35:02

related questions

What is typically the length of your optimal coding session?
What's the most current, good practice, and easiest way to use sessions in PHP?
What can cause an ASP.NET worker process to be recycled?
How do I explicitly set asp.net sessions to ONLY expire on closing the browser or explicit logou?
session variable mixup in ASP.NET?
In Classic asp, can I store a database connection in the Session object?
What are the advantages and disadvantages of the Session Façade Core J2EE Pattern?
Different values of GetHashCode for inproc and stateserver session variables
Best way for allowing subdomain session cookies using Tomcat
Is there a way to specify a different session store with Tomcat?
PHP: $_SESSION - What are the pros and cons of storing temporarily used data in the $_SESSION variable
What is the best way to handle sessions for a PHP site on multiple hosts?
How much data can/should you store in a users session object?
ASP.Net Session_Start event not firing
Logging image downloads
ASP.Net: If I have the Session ID, Can I get the Session object?
Secure session cookies in ASP.NET over HTTPS
Django Sessions
Can I put an ASP.Net session ID in a hidden form field?
Always including the user in the django template context
Rails - recovering database from Production.log
Most efficient way to get data from the database to session
What is the best way to prevent session hijacking?
FOSS ASP.Net Session Replication Solution?
How do I best detect an ASP.NET expired session?