I am working on a Rails app that recently went through a security audit, and one of the issues they came up with is that if the user gets the "session_id" from another users cookie, he is able to log in as that user. Is it possible to prevent this? How would I do it with my current setup?
Rails 3.2.12
devise (2.1.2)
My config/initializers/session_store.rb is
MyApp::Application.config.tap do |config|
config.session_store :active_record_store, config.session_options
end
Force SSL is enabled on production
config.force_ssl = true
I looked at Rails 4 Encrypted Cookie Replay Attack but since mine is using active record for sessions, not sure I can do the same.
I tried to add :session_limitable from Devise security extension, but it appears to be doing something else altogether.
To quote the security test result
Mitigate session replaying by ensuring that only 1 login is active at a time. -- able to login as another user just by changing the "_session_id" cookie