Sensitive data stored in a session cookie detected.

• Rule ID: ruby_rails_session
• Languages: ruby
• Source: session.yml

Description

Sensitive data should not be stored in session cookies. This policy looks for any sensitive data stored within the session cookies.

Remediations

By default, Rails uses a Cookie based session store. This makes it unsafe if you use it to store sensitive data in addition of making invalidating cookies difficult as they are stored on the client.

✅ To ensure session's data stays safe, ensure to use a database-based session storage, which is easily done though Rails configuration:

Rails.application.config.session_store :active_record_store

Resources

• Rails guide on configuring Rails applications

Associated CWE

• CWE-315: Cleartext Storage of Sensitive Information in a Cookie

OWASP Top 10

• A05:2021 - Security Misconfiguration