added a vuln for broken auth and session mgmt, issue #2

2013-05-21 00:58:11 -04:00
parent b2e2a1b4b0
commit 671095e030
4 changed files with 35 additions and 3 deletions
@@ -7,13 +7,20 @@ class SessionsController < ApplicationController
  end
  
  def create
-      user = User.authenticate(params[:email], params[:password])
+     
+      begin
+        user = User.authenticate(params[:email], params[:password])
+      rescue Exception => e
+      end
+      
      if user
        session[:id] = user.id if User.where(:id => user.id).exists?
        redirect_to home_dashboard_index_path
      else
+        flash[:error] = e.message
        render "new"
      end
+      
  end
  
  def destroy