class Rack::Protection::SessionHijacking

Prevented attack

Session Hijacking

Supported browsers

all

More infos

en.wikipedia.org/wiki/Session_hijacking

Tracks request properties like the user agent in the session and empties the session if those properties change. This essentially prevents attacks from Firesheep. Since all headers taken into consideration can be spoofed, too, this will not prevent determined hijacking attempts.

Public Instance Methods

accepts?(env) click to toggle source
# File lib/rack/protection/session_hijacking.rb, line 19
def accepts?(env)
  session = session env
  key     = options[:tracking_key]
  if session.include? key
    session[key].all? { |k,v| v == encrypt(env[k]) }
  else
    session[key] = {}
    options[:track].each { |k| session[key][k] = encrypt(env[k]) }
  end
end
encrypt(value) click to toggle source
Calls superclass method Rack::Protection::Base#encrypt
# File lib/rack/protection/session_hijacking.rb, line 30
def encrypt(value)
  value = value.to_s.downcase
  options[:encrypt_tracking] ? super(value) : value
end