Comments on: Session fixation vulnerability in Devise /2010/11/session-fixation-vulnerability-in-devise/ Plataformatec's place to talk about Ruby, Ruby on Rails, Elixir, and software engineering Fri, 11 Feb 2011 12:13:34 +0000 hourly 1 https://wordpress.org/?v=6.4.2 By: josevalim /2010/11/session-fixation-vulnerability-in-devise/comment-page-1/#comment-1049 Fri, 26 Nov 2010 18:07:00 +0000 /?p=1520#comment-1049 In reply to pjb3.

Rails does not allow by default to set the session ID through GET or POST and that is really not recommended. All the problems with having the session ID stored in a cookie is fixed after this release.

]]> By: pjb3 /2010/11/session-fixation-vulnerability-in-devise/comment-page-1/#comment-1048 Fri, 26 Nov 2010 17:14:00 +0000 /?p=1520#comment-1048 Now that the security issues has been fixed, could you provide more details on the vulnerability? I looked at the commit and I see that you are making sure a new session ID is generated upon login, which is good, but if you are only allowing the session ID to submitted via a cookie and not be set by a query string param or form param, is there still a vulnerability?

]]>