I was just having a discussion with some folks on #rails-contrib about security vulnerabilities that the cookie session store could present.
My main concern is that if a hacker sniffs an http request and gets a hold of the cookie, then the session is hijacked forever. With the server-side session stores, you would presumably expire sessions after a certain period of inactivity, but with the cookie store, the hijacker will continue to maintain control over a session if he/she stays inactive.
This seems like a problem. One solution that I had and others on the channel suggested too was to put an expiration in the cookie data. If you put a UTC time for the when the cookie should expire, then an inactive hacker will automatically have their hijacked session destroyed.
The only issue I can see with this solution is the fact that you will constantly have to send expiration updates to the cookie in every HTTP response. I'm not sure how often Rails updates the cookie right now, but if it doesn't do it on every HTTP response, then implementing this solution could become a performance burden.
-Aamer (JTMarlin on Freenode)