123456789_123456789_123456789_123456789_123456789_

Class: Rack::Protection::SessionHijacking

Relationships & Source Files
Super Chains via Extension / Inclusion / Inheritance
Class Chain:
self, Base
Instance Chain:
self, Base
Inherits: Rack::Protection::Base
Defined in: rack-protection/lib/rack/protection/session_hijacking.rb

Overview

Prevented attack

Session Hijacking

Supported browsers

all

More infos

http://en.wikipedia.org/wiki/Session_hijacking

Tracks request properties like the user agent in the session and empties the session if those properties change. This essentially prevents attacks from Firesheep. Since all headers taken into consideration can be spoofed, too, this will not prevent determined hijacking attempts.

Constant Summary

Base - Inherited

DEFAULT_OPTIONS

Class Method Summary

Base - Inherited

.default_options, .default_reaction, .new

Instance Attribute Summary

Base - Inherited

#app, #options

Instance Method Summary

Base - Inherited

#accepts?, #call, #debug, #default_options,
#default_reaction

Alias for Base#deny.
#deny, #drop_session, #encrypt, #html?, #instrument, #origin, #random_string, #react, #referrer, #report, #safe?, #secure_compare, #session, #session?, #warn

Constructor Details

This class inherits a constructor from Rack::Protection::Base

Instance Method Details

#accepts?(env) ⇒ Boolean

[ GitHub ] 

  


# File 'rack-protection/lib/rack/protection/session_hijacking.rb', line 21



def accepts?(env)
  session = session env
  key     = options[:tracking_key]
  if session.include? key
    session[key].all? { |k, v| v == encode(env[k]) }
  else
    session[key] = {}
    options[:track].each { |k| session[key][k] = encode(env[k]) }
  end
end


  








  

    #encode(value)  
  

  [ GitHub ]


  

  


# File 'rack-protection/lib/rack/protection/session_hijacking.rb', line 32



def encode(value)
  value.to_s.downcase
end