Rails Security Flashcards
What are sessions?
Sessions enable the app to maintain user-specific state while the users interact with the app.
For example, session allows the users to authenticate once and remain signed in for future requests.
Session Hijacking
Stealing a user’s session ID lets an attacker use the web application in the victim’s name.
Ways to hijack a session
- Sniff the cookie in an insecure network
solution: provide a secure connection over SSL - Not clearing out the cookies after working at a public terminal
solution: make logout button prominent; invalidate the session more frequently - cross-site scripting (XSS) exploits aimed at obtaining the user’s cookie
- Session fixation - Instead of stealing a cookie unknown to the attacker, they fix a user’s session identifier (in the cookie) known to them.
What is SSL?
SSL: Secure Sockets Layer
SSL is standard technology for securing an internet connection by encrypting data sent between a website and a browser (or between two servers). It prevents hackers from seeing or stealing any information transferred, including personal or financial data.
Session Storage
Rails uses ActionDispatch::Session::CookieStore as the default session storage