Insecure Rails Cookie Session Store

Description

The Rails session cookie is missing the SameSite=Secure attribute. As of Rails 7.2, session cookies default to SameSite=Lax, which can lead to insecure session management.

Examples

Insecure Code

ruby

Rails.application.config.session_store(:cookie_store, key: '_my_app_session')

Secure Code

ruby

Rails.application.config.session_store(:cookie_store, key: '_my_app_session', same_site: :secure)

Remediation

Add the same_site: :secure option to the session_store configuration, e.g., Rails.application.config.session_store(:cookie_store, ..., same_site: :secure, ...)

Rule Details

Field	Value
ID	CODE-0226
Category	Web
Severity	MEDIUM
CWE	CWE-345
Confidence	HIGH
Impact	LOW
Likelihood	HIGH
Exploitability	MODERATE
Tags	session-management, cookie-security
OWASP	N/A

References

https://api.rubyonrails.org/classes/ActionDispatch/Session/CookieStore.html

Overview

SAST (Application Security)

SCA (Dependencies)

Secrets Detection

IaC Security

License Compliance

SAST Rules

IaC Rules

License Rules

Description

Examples

Insecure Code

Secure Code

Remediation

Rule Details

References

SAST Rules

IaC Rules

License Rules

Insecure Rails Cookie Session Store ​

Description ​

Examples ​

Insecure Code ​

Secure Code ​

Remediation ​

Rule Details ​

References ​

Insecure Rails Cookie Session Store

Description

Examples

Insecure Code

Secure Code

Remediation

Rule Details

References