Skip to content

Latest commit

 

History

History
77 lines (44 loc) · 2.71 KB

README.md

File metadata and controls

77 lines (44 loc) · 2.71 KB

session_protector

DESCRIPTION

WARNING: this only makes a little bit harder to hijack user session, our solution basically have nothing to do with session security!!

Clear session if HTTP_USER_AGENT and IP differs from the one saved in session. This make it harder to successfully use session hijacking tools like firesheep.

Also, usage of browser_fingerprint.js allows usage of pseudo-unique fingerprint of users browser details. Both combined makes much harder (at least for script kiddies using firesheep for evil purposes) to hijack session (yeah, right).

REQUIREMENTS

Rails

INSTALL

add

gem 'session_protector'

to Gemfile and run

bundle install

You MAY also want to install browser_fingerprint script. To do this simply:

rails generate session_protector:install

And reference to browser_fingerprint.js script in HEAD section or your layout. Ie:

<%= javascript_include_tag 'browser_fingerprint', :cache => true %>

browser_fingerprint.js is not yet JavaScript framework agnostic. It REQUIRES jQuery now.

CONFIGURATION

You may want to disable IP checking. To do this simply paste following code in config/initializers/session_protector.rb

SessionProtector.setup do |config|
  # don't check IP address
  config.check_ip = false
end

HOW IT WORKS

  • middleware checks, if USER_AGENT didn't change. This should scare of most part of script kiddies using firesheep
  • javascript part checks for browsers USER_AGENT, installed plugins, screen resolution, timezone, browser capabilities and makes md5 hash from string containing all those informations. hash is stored in cookie, then, if not empty, it's assigned to session. If on next page load (script have to be executed at least once, somehow) hash strings on server side (session) and client are different, session is destroyed.

It's not the best nor ultimate solution, but as long as you can not send cookies via SSL, nothing can assure you, that session will not be hijacked - bas guys can still gather users cookies, sniff for user_agent, use browser spoofing tools, etc.

AUTHORS

  • Piotr Boniecki (piotr [at] galdomedia [dot] pl)
  • Maciej Litwiniuk (maciej [at] galdomedia [dot] pl )

CREDITS

Copyright (c) 2010 Piotr Boniecki (piotr [at] galdomedia [dot] pl), released under the MIT license