config.action_controller.session_options[:cookie_only] = true

Recently, I got this security vulnerability on my app:

Ruby on Rails Multiple Method Session Fixation       Synopsis :

      The remote web server is affected by a session fixation vulnerability.

      Description :

      The web server on the remote host appears to be a version of Ruby on       Rails that supports URL-based sessions. An unauthenticated remote       attacker may be able to leverage this issue to obtain an authenticated       session.

      Note that Ruby on Rails version 1.2.4 was initially supposed to       address this issue, but its session fixation logic only works for the       first request, when CgiRequest is first instantiated.

      See also :

      Ruby on Rails — Rails 1.2.4: Maintenance release       Ruby on Rails — Ruby on Rails 1.2.6: Security and Maintenance Release       http://dev.rubyonrails.org/ticket/10048       http://www.nessus.org/u?1eeea9de

      Solution :

      Upgrade to Ruby on Rails version 1.2.6 or later and make sure       'config.action_controller.session_options[:cookie_only]' is set to       'true' in the 'config/environment.rb' file.

I checked my rails version: it is already 1.2.6. Then I un-comment this line in environment.rb config.action_controller.session_options[:cookie_only] = true

I got the following:

Error message:     You have a nil object when you didn't expect it! You might have expected an instance of Array. The error occurred while evaluating nil. = Exception class:     NoMethodError

Can anyone help me understand what is going on here?