Class: Rack::Protection::SessionHijacking

Inherits:

Base

• Object
• Base
• Rack::Protection::SessionHijacking

Defined in:

lib/vendor/rack-protection-1.5.1/lib/rack/protection/session_hijacking.rb

Overview

Prevented attack

Session Hijacking

Supported browsers

all

More infos

en.wikipedia.org/wiki/Session_hijacking

Tracks request properties like the user agent in the session and empties the session if those properties change. This essentially prevents attacks from Firesheep. Since all headers taken into consideration might be spoofed, too, this will not prevent all hijacking attempts.

Constant Summary

Constants inherited from Base

Base::DEFAULT_OPTIONS

Instance Attribute Summary

Attributes inherited from Base

#app, #options

Instance Method Summary

• #accepts?(env) ⇒ Boolean
• #encrypt(value) ⇒ Object

Methods inherited from Base

#call, #default_options, default_options, default_reaction, #deny, #drop_session, #html?, #initialize, #instrument, #origin, #random_string, #react, #referrer, #report, #safe?, #session, #session?, #warn

Constructor Details

This class inherits a constructor from Rack::Protection::Base

Instance Method Details

#accepts?(env) ⇒ Boolean

Returns:

• (Boolean)

# File 'lib/vendor/rack-protection-1.5.1/lib/rack/protection/session_hijacking.rb', line 19

def accepts?(env)
  session = session env
  key     = options[:tracking_key]
  if session.include? key
    session[key].all? { |k,v| v == encrypt(env[k]) }
  else
    session[key] = {}
    options[:track].each { |k| session[key][k] = encrypt(env[k]) }
  end
end

#encrypt(value) ⇒ Object

# File 'lib/vendor/rack-protection-1.5.1/lib/rack/protection/session_hijacking.rb', line 30

def encrypt(value)
  value = value.to_s.downcase
  options[:encrypt_tracking] ? super(value) : value
end