------art_9278_11667285.1193999333138
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

Hi,

I think I found a flaw in the CGI session code (CGI/session.rb):
When creating a new session based on an incoming request without session_key
nor session_id, Session::new calls create_new_id to generate a new
session_id. It is actually never checked whether this newly generated
session_id is already in use (its uniqueness is not checked). This means
that when it turns out to be a duplicate, the user gets somebody elses
session...

The chance of session_id collision looks like it should be extremely small,
but on our Ruby on Rails setup (load balanced machines, mongrel clusters
behind nginx, with sessions in active_record_store on master-master
replicated mysql dbs) we encountered about 1 collision per 1000 session_id
creations. We had about 25000 sessions in our session store at that time.
Limiting the amount of stored sessions has made things better a bit, but is
not a scalable solution.

The fix for this is not so simple, as it looks like it needs to be addressed
in the session store code (option['database_manager']). I'm willing to
provide a patch but would like your input on the matter first.

We still use Ruby 1.8.5 but I checked with trunk as well. We use Ruby on
Rails 1.2.1 in production.

Regards,
Bas van Klinkenberg

------art_9278_11667285.1193999333138
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

Hi,<br><br>I think I found a flaw in the CGI session code (CGI/session.rb):<br>When creating a new session based on an incoming request without session_key nor session_id, Session::new calls create_new_id to generate a new session_id. It is actually never checked whether this newly generated session_id is already in use (its uniqueness is not checked). This means that when it turns out to be a duplicate, the user gets somebody elses session...
<br><br>The chance of session_id collision looks like it should be extremely small, but on our Ruby on Rails setup (load balanced machines, mongrel clusters behind nginx, with sessions in active_record_store on master-master replicated mysql dbs) we encountered about 1 collision per 1000 session_id creations. We had about 25000 sessions in our session store at that time. Limiting the amount of stored sessions has made things better a bit, but is not a scalable solution.
<br><br>The fix for this is not so simple, as it looks like it needs to be addressed in the session store code (option[&#39;database_manager&#39;]). I&#39;m willing to provide a patch but would like your input on the matter first.
<br><br>We still use Ruby 1.8.5 but I checked with trunk as well. We use Ruby on Rails 1.2.1 in production.<br><br>Regards,<br>Bas van Klinkenberg<br><br>

------art_9278_11667285.1193999333138--