Django and Ruby on Rails security issue

[peterw]

http://maverickblogging.com/list-of-websites-using-ruby-on-rails-cookiestore-for-session-management/

So it is really easy to copy session cookies and to use them to be logged into someone else account.

Well, I did some digging and have the following list of 1,897 websites for your review.

So use SSL to login to the sites or you can't be sure that someone else can use your account.

Sites that do have that secruity issue:

• Warner Bros
• Kickstarter
• Paper.li
• Simfy
• Audioboo
• ....

 

[InertiaNetworks-John]

Yikes! Sites should be using ssl....

 

[marlencrabapple]

Cookies? Couldn't this be easily avoided if you just used some sort of hash of the users IP to check if the cookie is legit? Seems simple enough.

 

[peterw]

Cookies? Couldn't this be easily avoided if you just used some sort of hash of the users IP to check if the cookie is legit? Seems simple enough.

It is. Tell that the Django and RoR guys who forget to implement this.

 

[MartinD]

Not really up to them to implement it though - that's up to the developer using RoR/Django.

 

[marlencrabapple]

Not really up to them to implement it though - that's up to the developer using RoR/Django.

After reading into it a bit it looks like they were using a function built into RoR and Django that should've done all of it on its own. Isn't that the entire point of a framework? They're supposed to do things the right way so you don't have to try your hand and screw it all up.

 

[wlanboy]

Isn't that the entire point of a framework?


They're supposed to do things the right way so you don't have to try your hand and screw it all up.

Yup that's correct.

If you have to do everything on your own you are not using a "framework".