Sensitive data stored in a session cookie detected.
- Rule ID: ruby_rails_session
- Languages: ruby
- Source: session.yml
Description
Sensitive data should not be stored in session cookies. This policy looks for any sensitive data stored within the session cookies.
Remediations
By default, Rails uses a Cookie based session store. This makes it unsafe if you use it to store sensitive data in addition of making invalidating cookies difficult as they are stored on the client.
✅ To ensure session's data stays safe, ensure to use a database-based session storage, which is easily done though Rails configuration:
Rails.application.config.session_store :active_record_store
Resources
Associated CWE
OWASP Top 10
Configuration
To skip this rule during a scan, use the following flag
bearer scan /path/to/your-project/ --skip-rule=ruby_rails_session
To run only this rule during a scan, use the following flag
bearer scan /path/to/your-project/ --only-rule=ruby_rails_session
Ready to take the next step? Learn more about Bearer Cloud.