Session fixation vulnerability in Devise

There is a vulnerability in Devise source code that allows someone to steal your session through session fixation attacks.

Who is affected?

This vulnerability is present in all Devise versions, in both 1.0 and 1.1 branches. However, you are only affected if you are using a Active Record ou Memcached or other server persistent session store. Projects using cookie stores (Rails default) are not affected.

If you are using Devise defaults which requires the user a password to update his account, it is unlikely the target account can be stolen, however the attacker will be able to normally perform actions in the website.


To fix this vulnerability, we released Devise 1.0.9 for Rails 2.3.x applications and Devise 1.1.4 for Rails 3.x.

In another note, Devise 1.2.rc was also released, which includes this security fix and Omniauth support. Check the CHANGELOG for more information.


Thanks to Olivier Dembour and Stephen Touset for reporting the vulnerability.

2 responses to “Session fixation vulnerability in Devise”

  1. pjb3 says:

    Now that the security issues has been fixed, could you provide more details on the vulnerability? I looked at the commit and I see that you are making sure a new session ID is generated upon login, which is good, but if you are only allowing the session ID to submitted via a cookie and not be set by a query string param or form param, is there still a vulnerability?

  2. josevalim says:

    Rails does not allow by default to set the session ID through GET or POST and that is really not recommended. All the problems with having the session ID stored in a cookie is fixed after this release.