Rack Session Restoration Vulnerability in `Rack::Session::Pool` Middleware

A vulnerability exists in Rack versions through 2.2.13, specifically within the `Rack::Session::Pool` middleware. This issue allows for the restoration of a deleted session during simultaneous requests, enabling an unauthenticated user to regain access to that session. The vulnerability arises because Rack session middleware loads the session at the start of a request and saves it back to the store with any modifications made by the application. This process can create race conditions over concurrent requests. If an attacker manages to obtain a session cookie and triggers a long-running request while a logout is being processed, they can exploit this timing to restore the session and maintain access, despite the logout attempt.

Impact

Exploitation of this vulnerability allows an attacker to restore a deleted session and retain access to it, even after a user has logged out.

Reproduction

To reproduce this vulnerability, first log into an application that uses `Rack::Session::Pool` middleware and obtain the session cookie. Then, initiate a long-running request while simultaneously logging out. After the logout process, the session can be restored, demonstrating the vulnerability.

Remediation

Users can update to Rack version 2.2.14 or later, ensure that sessions are invalidated atomically by marking them as logged out instead of deleting them, or implement a custom session store that tracks session invalidation timestamps.