Recently, I got this security vulnerability on my app:
Ruby on Rails Multiple Method Session Fixation
The remote web server is affected by a session fixation
The web server on the remote host appears to be a version of
Rails that supports URL-based sessions. An unauthenticated
attacker may be able to leverage this issue to obtain an
Note that Ruby on Rails version 1.2.4 was initially supposed to
address this issue, but its session fixation logic only works
first request, when CgiRequest is first instantiated.
See also :
Upgrade to Ruby on Rails version 1.2.6 or later and make sure
'config.action_controller.session_options[:cookie_only]' is set
'true' in the 'config/environment.rb' file.
I checked my rails version: it is already 1.2.6. Then I un-comment
this line in environment.rb
config.action_controller.session_options[:cookie_only] = true
I got the following:
You have a nil object when you didn't expect it! You might have
expected an instance of Array. The error occurred while evaluating nil.
Can anyone help me understand what is going on here?