2011-05-23 04:07:54 -04:00
|
|
|
require 'rack/protection'
|
|
|
|
|
|
|
|
|
|
module Rack
|
|
|
|
|
module Protection
|
2011-05-24 07:23:57 -04:00
|
|
|
##
|
|
|
|
|
# Prevented attack:: Session Hijacking
|
|
|
|
|
# Supported browsers:: all
|
|
|
|
|
# More infos:: http://en.wikipedia.org/wiki/Session_hijacking
|
|
|
|
|
#
|
|
|
|
|
# Tracks request properties like the user agent in the session and empties
|
2011-05-24 08:32:34 -04:00
|
|
|
# the session if those properties change. This essentially prevents attacks
|
|
|
|
|
# from Firesheep. Since all headers taken into consideration might be
|
|
|
|
|
# spoofed, too, this will not prevent all hijacking attempts.
|
2011-05-23 04:07:54 -04:00
|
|
|
class SessionHijacking < Base
|
2011-06-20 09:48:13 -04:00
|
|
|
default_reaction :drop_session
|
2011-05-29 07:01:47 -04:00
|
|
|
default_options :tracking_key => :tracking, :encrypt_tracking => true,
|
2011-10-04 16:36:37 -04:00
|
|
|
:track => %w[HTTP_USER_AGENT HTTP_ACCEPT_ENCODING HTTP_ACCEPT_LANGUAGE]
|
2011-05-29 07:01:47 -04:00
|
|
|
|
|
|
|
|
def accepts?(env)
|
|
|
|
|
session = session env
|
|
|
|
|
key = options[:tracking_key]
|
|
|
|
|
if session.include? key
|
2011-06-20 09:48:13 -04:00
|
|
|
session[key].all? { |k,v| v == encrypt(env[k]) }
|
2011-05-29 07:01:47 -04:00
|
|
|
else
|
|
|
|
|
session[key] = {}
|
2011-06-20 09:48:13 -04:00
|
|
|
options[:track].each { |k| session[key][k] = encrypt(env[k]) }
|
2011-05-29 07:01:47 -04:00
|
|
|
end
|
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
def encrypt(value)
|
2012-12-10 10:26:11 -05:00
|
|
|
value = value.to_s.downcase
|
|
|
|
|
options[:encrypt_tracking] ? super(value) : value
|
2011-05-29 07:01:47 -04:00
|
|
|
end
|
2011-05-23 04:07:54 -04:00
|
|
|
end
|
|
|
|
|
end
|
|
|
|
|
end
|
