Stengineering0

**Name of the Vulnerable Software and Affected Versions** Rack::Session versions 2.0.0 through 2.1.0 **Description** The issue concerns the Rack::Session::Pool middleware, where simultaneous requests can restore a deleted session, allowing an unauthenticated user to occupy that session. If an attacker can acquire a session cookie and trigger a long-running request adjacent to the user logging out, they may retain illicit access even after the user has attempted to log out. **Recommendations** - Update to version 2.1.1 or later. - Ensure your application invalidates sessions atomically by marking them as logged out, for example, using a `logged out` flag, instead of deleting them, and check this flag on every request to prevent reuse. - Implement a custom session store that tracks session invalidation timestamps and refuses to accept session data if the session was invalidated after the request began.

**Name of the Vulnerable Software and Affected Versions** Rack versions prior to 2.2.14 **Description** The issue affects Rack, a modular Ruby web server interface, when using the `Rack::Session::Pool` middleware. Simultaneous rack requests can restore a deleted rack session, allowing an unauthenticated user to occupy that session. This occurs due to race conditions over concurrent rack requests. An attacker can exploit this by triggering a long-running request within the same session adjacent to the user logging out, retaining illicit access even after a user has attempted to logout. **Recommendations** For versions prior to 2.2.14, ensure the application invalidates sessions atomically by marking them as logged out, e.g., using a `logged out` flag, instead of deleting them, and check this flag on every request to prevent reuse. Alternatively, implement a custom session store that tracks session invalidation timestamps and refuses to accept session data if the session was invalidated after the request began. Update to version 2.2.14, which contains a patch for the issue.