Rack Session Pool Middleware Session Restoration Vulnerability

A vulnerability exists in Rack::Session versions 2.0.0 prior to 2.1.1, specifically within the Rack::Session::Pool middleware. This issue allows an attacker who has obtained a session cookie to restore a deleted session. The vulnerability arises when the attacker triggers a long-running request in the same session just before the user logs out. As a result, the attacker can regain access to the session even after logout.

Impact

Exploitation of this vulnerability allows for the unauthorized restoration of a deleted session, enabling continued access to the session's privileges and data.

Reproduction

To reproduce this vulnerability, first log into an application that uses Rack::Session::Pool middleware and obtain the session cookie. Then, initiate a long-running request while simultaneously logging out. After the logout process, the session can be accessed again, indicating successful exploitation.

Remediation

Users are advised to update Rack::Session to version 2.1.1 or later. Alternatively, ensure that sessions are invalidated atomically by marking them as logged out with a flag, or implement a custom session store that tracks invalidation timestamps.