Class: Rack::Protection::SessionHijacking

Inherits:

Base

• Object
• Base
• Rack::Protection::SessionHijacking

Defined in:

lib/rack/protection/session_hijacking.rb

Overview

Prevented attack

Session Hijacking

Supported browsers

all

More infos

en.wikipedia.org/wiki/Session_hijacking

Tracks request properties like the user agent in the session and empties the session if those properties change. This essentially prevents attacks from Firesheep. Since all headers taken into consideration can be spoofed, too, this will not prevent determined hijacking attempts.

Constant Summary

Constants inherited from Base

Base::DEFAULT_OPTIONS

Instance Attribute Summary

Attributes inherited from Base

#app, #options

Instance Method Summary

• #accepts?(env) ⇒ Boolean
• #encode(value) ⇒ Object

Methods inherited from Base

#call, #default_options, default_options, default_reaction, #deny, #drop_session, #encrypt, #html?, #initialize, #instrument, #origin, #random_string, #react, #referrer, #report, #safe?, #secure_compare, #session, #session?, #warn

Constructor Details

This class inherits a constructor from Rack::Protection::Base

Instance Method Details

#accepts?(env) ⇒ Boolean

Returns:

• (Boolean)

# File 'lib/rack/protection/session_hijacking.rb', line 21

def accepts?(env)
  session = session env
  key     = options[:tracking_key]
  if session.include? key
    session[key].all? { |k, v| v == encode(env[k]) }
  else
    session[key] = {}
    options[:track].each { |k| session[key][k] = encode(env[k]) }
  end
end

#encode(value) ⇒ Object

# File 'lib/rack/protection/session_hijacking.rb', line 32

def encode(value)
  value.to_s.downcase
end