Leakage of sensitive data in session cookie

Rule ID: ruby_rails_session
Languages: ruby
Source: session.yml

Description

Storing sensitive data in session cookies poses a security risk. This vulnerability arises when sensitive information is included within session cookies, making it susceptible to unauthorized access.

Remediations

Do not store sensitive data in session cookies. This approach risks exposing sensitive information since cookies are stored on the client side.
```
cookies[:user_credentials] = "username:password" # unsafe
```
Do configure your Rails application to use a database-based session storage. This method enhances security by storing session data on the server side, making it more secure and easier to manage session invalidation.
```
Rails.application.config.session_store :active_record_store
```

References

Rails guide on configuring Rails applications

Associated CWE

CWE-315: Cleartext Storage of Sensitive Information in a Cookie

OWASP Top 10

A05:2021 - Security Misconfiguration

Configuration

To skip this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --skip-rule=ruby_rails_session

To run only this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --only-rule=ruby_rails_session