In particular, I wrote a Rails application in which I use the default session store (in Rails 2.3.5) CookieStore, and I found a strange development problem.
I and several others used the site for several weeks, and each of us had a username based on username and password (each user logged in and I saved (salted and hashed) data in a database). I saved the user ID in the Rails object session(and therefore in the cookie that is passed between the browser and the server).
One important point here: since this is an intranet site, I have set cookies to stay alive for up to 2 weeks so that users cannot log in all the time.
Today I reset the database by wiping all user records (and all other data, intentionally). Several users started to register again, and then one user found that the first time they went to the site since they were cleaned up, they were automatically logged in as another user!
I think I can understand why this happened: the user ID passed from this user's browser to the server now matches a different user record in my database. My initial thought was "Oh dear, I did not expect this!" but the more I thought about it, the more I realized that this was probably the expected behavior.
I understand that I can change my Rails application to a user ActiveRecordStore, but before I did this, I wanted to make sure that I understood what was going on here. In particular, does the use of sessions combine CookieStoreand that sessions remain alive for some time really create such a gaping security hole? Or am I missing something? Should it session_idprovide a bit more security here?