简体繁体 English

在Rails中停止恶意用户之间的会话共享

[英]Stopping Session Sharing between malicious users in Rails

原文 2009-08-20 18:28:50 6 2 ruby-on-rails/ security/ session

What's the best way to keep users from sharing session cookies in Rails? 阻止用户在Rails中共享会话cookie的最佳方法是什么？

I think I have a good way to do it, but I'd like to run it by the stack overflow crowd to see if there's a simpler way first. 我认为我有一个很好的方法，但是我想由堆栈溢出人群来运行它，看看是否首先有一种更简单的方法。

Basically I'd like to detect if someone tries to share a paid membership with others. 基本上，我想检测是否有人尝试与他人共享付费会员资格。 Users are already screened at the point of login for logging in from too many different subnets, but some have tried to work around this by sharing session cookies. 在登录时已经对用户进行了筛选，以允许他们从太多不同的子网登录，但是有些用户尝试通过共享会话cookie来解决此问题。 What's the best way to do this without tying sessions to IPs (lots of legitimate people use rotating proxies). 在不将会话与IP绑定的情况下，最好的方法是什么（很多合法人使用轮换代理）。

The best heuristic I've found is the # of Class B subnets / Time (some ISPs use rotating proxies on different Class Cs). 我发现最好的启发式方法是B类子网的数量/时间（某些ISP在不同C类上使用旋转代理）。 This has generated the fewest # of false positives for us so I'd like to stick with this method. 这为我们产生了最少的误报，所以我想坚持使用这种方法。

Right now I'm thinking of applying a before filter for each request that keeps track of which Subnets and session_ids a user has used in memcached and applies the heuristic to that to determine if the cookie is being shared. 现在，我正在考虑为每个请求应用一个前置过滤器，以跟踪用户在内存缓存中使用了哪些子网和session_id，并对其进行启发式确定是否共享了cookie。

Any simpler / easier to implement ideas? 有没有更简单/更容易实现的想法？ Any existing plugins that do this? 现有的插件可以做到这一点吗？

2 个解决方案

One way I can think of would be to set the same random value in both the session and a cookie with every page refresh. 我能想到的一种方法是在每次页面刷新时在会话和cookie中都设置相同的随机值。 Check the two to make sure they are the same. 检查两个，以确保它们相同。 If someone shares their session, the cookie and session will get out of sync. 如果有人共享他们的会话，则cookie和会话将不同步。

You could tie the session information to browser information. 您可以将会话信息与浏览器信息绑定在一起。 If people are coming in from 3 or 4 different browser types within a certain time period, you can infer that something suspicious may be going on. 如果人们在某个时间段内来自3种或4种不同的浏览器类型，则可以推断出可能存在可疑事件。

An alternative answer relies on a bit of social-engineering. 另一个答案取决于一些社会工程学。 If you have some heuristic that you trust, you can warn users (at the top of the page) that you suspect they are sharing their account and that they are being watched closely. 如果您信任某些启发式功能，则可以（在页面顶部）警告用户您怀疑他们正在共享其帐户，并且正在密切关注他们。 A "contact us" link in the warning would allow legitimate users to explain themselves (and thus be permanently de-flagged). 警告中的“联系我们”链接将允许合法用户进行自我解释（并因此被永久取消标记）。 This may minimize the problem enough to take it off your radar. 这可以最大程度地减少问题，使其脱离雷达。