Session-only cookie corruption in Ruby web apps

Rack and Rails have a cookie monster.

Browsers place limits on the number and size of cookies present for a domain or in a response. If you exceed these limits, Bad Things can happen. Rack and Rails try to prevent this in the obvious cases, but this post describes what they get wrong in their current implementations. We’ll also review the potential impact of—and how you can mitigate—this type of issue in your Ruby web apps.

This information is most relevant for web apps that transmit session cookies that contain the encoded contents of the entire session hash—not just the session ID. In other words, a cookie-only session. For example, Rack::Session::Cookie with Marshal or JSON, Rails’ default ActionDispatch::Session::CookieStore, or an implementation of JWT (JSON Web Tokens) that uses a cookie (instead of a dedicated response header) as its transport. The security risks are greatest when cookie-only sessions meet the cookie-truncation behavior of older browsers (and can be compounded when the sessions contain arbitrarily-large data, such as flash messages).

TL;DR: If your Ruby web apps use cookie-only sessions, consider adding Rack::Protection::MaximumCookie to their middleware stacks.

Continue reading

Yosemite on unsupported Mac Mini

I have an ancient Mac Mini running Yosemite and OS X Server “headless”—after a bit of finagling—and all is well and good for the most part. However, my system log is getting spammed with the following every 10 seconds or so:

Jul 20 12:27:32 foo.bar watchdogd[80881]: [watchdog_daemon] @( wd_watchdog_open) - IOIteratorNext failed (kr=0)
Jul 20 12:27:32 foo.bar watchdogd[80881]: [watchdog_daemon] @( wd_daemon_init) - could not initialize the hardware watchdog
Jul 20 12:27:32 foo.bar watchdogd[80881]: [watchdog_daemon] @( main) - cannot initialize the watchdog service
Jul 20 12:27:32 foo com.apple.xpc.launchd[1] (com.apple.watchdogd): Service only ran for 0 seconds. Pushing respawn out by 10 seconds.

Google is not turning up anything useful. It looks tricky to disable, and I’m not convinced that’s the best (or only) course of action. Any suggestions, lazyweb?