How to detect if a user has another user's session in Rails?

Question

We are experiencing a bizarre, very rarely occurring bug where a user will be logged into another user's account.

We are on Rails 4.2. We use authlogic for authentication and dalli as our memcached client. Use memcache as the session store.

I haven't been able to figure out what is causing the issue, but the worst part is that even if I did have a hypothesis I wouldn't know how to confirm if it worked or not.

I would like to find some way to log if a user has been given the wrong session, both to help debug the problem and to determine if a potential fix works.

I'm just not sure if it's possible. If the user's cookie has the wrong session ID, how can I possibly figure that out?

Answer 1

Try going back to signed, encrypted cookie session store. Use memcached for frequently accessed items, like the user record. Load the user model from memcached instead of the database.

If you really want to log session hijacking, then log the user's IP address. If the IP address suddenly changes, as if they were logged in one place, then all of a sudden are making requests from another place, then maybe another user hijacked their session cookie?

http://guides.rubyonrails.org/v5.0/security.html#session-hijacking

Be aware that using TOR would show that pattern, as it generates a new route every ten minutes, but doesn't mean the session was stolen or mixed up.

If you are not using signed or encrypted cookies, then it allows Javascript or malicious ads to steal the session id, and send it back to the attacker's server.

It could also be your session ids are not secure or random enough. Maybe a new session id overwrites another session id in memcached? Since you are using a different session store, maybe you customized the session identifier?