StackOverflow2013

Note that there are some explanatory texts on larger screens.

plurals

POHow do I prevent Rails users from accidentally authenticating as the wrong user?
primarykey
Id
4044591
data
AcceptedAnswerId
4048233
AnswerCount
5
ClosedDate
CommentCount
0
CommunityOwnedDate
CreationDate
2010-10-28T15:45:17.457
FavoriteCount
0
LastActivityDate
2014-01-17T15:01:56.107
LastEditDate
LastEditorUserId
0
OwnerUserId
191086
ParentId
0
PostTypeId
1
Score
3
ViewCount
297
LastEditorDisplayName
text
Body
Specifically, I have written a Rails app in which I'm using the default (in Rails 2.3.5) <code>CookieStore</code> session store and I've spotted an odd problem in development. Myself and a few others had been using the site for a few weeks and we each had a login based on a username and password (each user registered themselves and I stored the (salted and hashed) data in the database). I was storing the user ID in the Rails <code>session</code> object (and, therefore, in the cookie that is passed back and forth between browser and server). One important point here: since this is an intranet site, I set the cookies to stay alive for up to 2 weeks to avoid users having to log in all the time. Today I reset the database, wiping all user records (and all other data, intentionally). A few users started registering themselves again and then one user found that the first time they went to the site since the wipe they were automatically logged-in as a different user! I think I can see why this happened: the user ID passed from that user's browser to the server now matched a different user-record in my database. My initial thought was "oh dear, I wasn't expecting that!" but the more I thought about it the more I realised this was probably expected behaviour. I realise I can change my Rails app to user <code>ActiveRecordStore</code> but before I did that I wanted to make sure I understand what's going on here. Specifically, does the combination of using <code>CookieStore</code> sessions and having the sessions stay alive for some time really create such a gaping security hole? Or am I missing something? Should the <code>session_id</code> be providing a little more security here?
Tags
<ruby-on-rails><security><cookies>
Title
How do I prevent Rails users from accidentally authenticating as the wrong user?
singulars
PostAcceptedAnswerId
1. PO
 singulars
 PostTypePostTypeId
 PTAnswer
PostParentId
1. This table or related slice is empty.
PostTypePostTypeId
1. PTQuestion
UserLastEditorUserId
1. This table or related slice is empty.
UserOwnerUserId
1. USBen
plurals
PostLinksPostIdRelatedPostId
1. This table or related slice is empty.
PostLinksRelatedPostIdPostId
1. This table or related slice is empty.
PostsAcceptedAnswerId
1. This table or related slice is empty.
PostsParentIdCreationDate
1. PO
 singulars
 PostTypePostTypeId
 PTAnswer
2. PO
 singulars
 PostTypePostTypeId
 PTAnswer
3. PO
 singulars
 PostTypePostTypeId
 PTAnswer
VotesPostIdCreationDate
1. VO
 singulars
 PostPostId
 POHow do I prevent Rails users from accidentally authenticating as the wrong user?
 UserUserId
 This table or related slice is empty.
 VoteTypeVoteTypeId
 VTUpMod
2. VO
 singulars
 PostPostId
 POHow do I prevent Rails users from accidentally authenticating as the wrong user?
 UserUserId
 This table or related slice is empty.
 VoteTypeVoteTypeId
 VTUpMod
CommentsPostId
1. This table or related slice is empty.

Querying!

Guidance

A row detail

Detail views are divided into sections. All the information in the data section comes from columns in the selected row. The other sections display data from other, related rows.

Related data can be related in a to-one or a to-many fashion. Captions of data related in a to-many fashion link to a list view showing a filtered view of the table.

Try moving around until you find a non-empty to-many entry and click on the label to get to one. You can move back to the root by clicking on the database name in the header.