123456789_123456789_123456789_123456789_123456789_

Class: Rack::Protection::SessionHijacking

Relationships & Source Files
Super Chains via Extension / Inclusion / Inheritance
Class Chain:
self, Base
Instance Chain:
self, Base
Inherits: Rack::Protection::Base
Defined in: rack-protection/lib/rack/protection/session_hijacking.rb

Overview

Prevented attack

Session Hijacking

Supported browsers

all

More infos

http://en.wikipedia.org/wiki/Session_hijacking

Tracks request properties like the user agent in the session and empties the session if those properties change. This essentially prevents attacks from Firesheep. Since all headers taken into consideration can be spoofed, too, this will not prevent determined hijacking attempts.

Constant Summary

Base - Inherited

DEFAULT_OPTIONS

Class Method Summary

Base - Inherited

.default_options

Used by subclasses to declare default values for options they require.

.default_reaction

Used by subclasses to declare default reaction when a request is rejected.

.new

Instance Attribute Summary

Base - Inherited

Instance Method Summary

Base - Inherited

#accepts?, #call, #debug, #default_options,
#default_reaction

Alias for Base#deny.

#deny

Deny the request.

#drop_session, #encrypt, #html?, #instrument, #origin, #random_string, #react, #referrer,
#report

When used as a reaction (with option reaction: :report), any rejected request will be allowed through, and a warning is omitted (note that warnings will not be shown if the :logging option has been set to false).

#safe?, #secure_compare, #session, #session?, #warn

Constructor Details

This class inherits a constructor from Rack::Protection::Base

Instance Method Details

#accepts?(env) ⇒ Boolean

[ GitHub ]

  
# File 'rack-protection/lib/rack/protection/session_hijacking.rb', line 21

def accepts?(env)
  session = session env
  key     = options[:tracking_key]
  if session.include? key
    session[key].all? { |k, v| v == encode(env[k]) }
  else
    session[key] = {}
    options[:track].each { |k| session[key][k] = encode(env[k]) }
  end
end

#encode(value)

[ GitHub ]

  
# File 'rack-protection/lib/rack/protection/session_hijacking.rb', line 32

def encode(value)
  value.to_s.downcase
end