Background Information
We recently ran into a problem in which user A could inadvertently seize the session of user B who was trying to access the download created by the controller at about the same time as user A.
We are still not 100% sure that all conditions are necessary for this, but we can reliably reproduce the problem in our production and intermediate environment. Important details of these environments are as follows.
Environmental information
Application Server: Phusion Passenger 5.0.21 or 5.0.24 (this means that we tried both versions and both reproduced the problem)
Frame: Rails 4.2.4
Language: Ruby 2.2.3
Operating System: CentOS 6
Interestingly, we can NOT reproduce this problem using Phusion Passenger 4.0.53 .
Theft Steps
It may seem too simple for this to be true, but that is all that is needed.
- User A logs in to the system
- User B logs into the system
- User A and B simultaneously quickly press the same download button (almost) at the same time
This is all that is required to inadvertently capture a session. (Roulette seems to be about capturing an A or B session, although it is probably not as random as it seems).
We know that the user session was captured because we can see the name and surname of the current session user displayed on the page.
"" .
, , . , - , ....
, Phusion Passenger , , , 4, .
, , -, .
, Phusion Passenger 5.0.21 5.0.24:
def sample_method
respond_to do |format|
format.csv {
headers.merge!({'Cache-Control'=>'must-revalidate, post-check=0, pre-check=0'})
render :text => proc { |response, output|
100.times do |i|
output.write("This is line #{i}\n")
end
}
}
end
end
, Cache-Control, , .
, , , - , .
, , Controller # sample_method, , .
, , CSV CSV, CSV proc , CSV .
.
Devise gem . , , Devise .
, , . .
, , . Phusion Passenger, , . ( .)
, . #send_data format.csv.
- :
format.csv {
send_data data_here, filename: filename, type: 'text/csv', disposition: 'attachment'
}
. - , - - , , , .
?
, , , .
, , , cookie . ( .)
, , (, Passenger?), .
, .
, , , , .
!