125 switches to using the new ActionDispatch::Session::AbstractSecureStore but it does not change the key used to store sessions in redis. This means that there is still potentially a timing attack that could be used against looking up a session.
We should use the Rack::Session::SessionId#private_id as the key in redis storage and #public_id in the cookie.
It would seem reasonable to fallback to using the #public_id for sessions that have not yet been converted to use the #private_id for their key.
125 switches to using the new
ActionDispatch::Session::AbstractSecureStore
but it does not change the key used to store sessions in redis. This means that there is still potentially a timing attack that could be used against looking up a session.We should use the
Rack::Session::SessionId#private_id
as the key in redis storage and#public_id
in the cookie.It would seem reasonable to fallback to using the
#public_id
for sessions that have not yet been converted to use the#private_id
for their key.https://github.com/rails/activerecord-session_store/pull/151 could be used for inspiration.
I've submitted on a PR for this and tested it out on our app.