Topic: Authentication and security

I thought of something and it's been making me paranoid for a little while (well, not really, it's a personal project, not too big of a deal).

I have a login configured and everything about that works pretty well, but I have an admin user that can access some additional controllers compared to a regular user, and this access is stored in a field in the User object called "role".  If the role is "admin" then the user can access the admin controller.  My filter checks to see if the session variable's role is set to "admin"

However, once they've logged in, I wondered if they could hack the session variable to somehow set the role to "admin" manually.  First, is this plausible?

Okay, regardless, my check_admin filter will now quickly lookup the session user_id to see if the user id actually matches the one in the database.  This way they would have to hack the user_id and the role to set an admin user.  But now they can start guessing user_ids to try to hit an admin.

So now, I'm wondering how to prevent these sorts of hacks?  Do I check the hashed password (something much less likely to be hackable)?  Or do I generate a session hash that can't really be arbitrarily guessed at any time and somehow throw that in to the whole mix?  Or, am I completely mistaken and I can throw anything into the session variable without worrying about it being hacked while somebody's visiting my site?



Re: Authentication and security

the session data is stored on the server side so the user cannot edit it (unless you let them through your application somehow). All the user has is a session key which is hashed so you don't have to worry about someone guessing another's session key. Rails handles this all for you behind the scenes, and it is secure so I wouldn't worry about it.

Last edited by ryanb (2006-09-06 01:50:17)

Railscasts - Free Ruby on Rails Screencasts