14 DAY TRIAL // Security researcher G.S. McNamara warns that versions 2.0 through 4.0 of Ruby on Rails are not designed to delete session cookies when the user logs out. This means that if a hacker gains access to these cookies, he can hijack the user’s account.
According to McNamara, the Rails session storage mechanism, the CookieStore, holds the entire user session hash in the web browser as a cookie. This means that there’s no entry in the “sessions” database that can be deleted on logout.
“My concern is more than just current session hijacking via Firesheep or similar; a malicious user could use the stolen cookie from any authenticated request by the user to log in as them at any point in the future,” the expert noted.
Since there’s no session cookie to delete, Rails simply issues a new “empty-ish” cookie in order to overwrite the one created previously. However, the previous cookie remains valid.
To address the issue, developers must configure their apps to store most session information on the server side in the database.
For additional technical details and remediation, check out McNamara’s blog.