125 switches to using the new ActionDispatch::Session::AbstractSecureStore but it does not change the key used to store sessions in redis. This means that there is still potentially a timing attack that could be used against looking up a session.
We should use the Rack::Session::SessionId#private_id as the key in redis storage and #public_id in the cookie.
It would seem reasonable to fallback to using the #public_id for sessions that have not yet been converted to use the #private_id for their key.
125 switches to using the new
ActionDispatch::Session::AbstractSecureStorebut it does not change the key used to store sessions in redis. This means that there is still potentially a timing attack that could be used against looking up a session.We should use the
Rack::Session::SessionId#private_idas the key in redis storage and#public_idin the cookie.It would seem reasonable to fallback to using the
#public_idfor sessions that have not yet been converted to use the#private_idfor their key.https://github.com/rails/activerecord-session_store/pull/151 could be used for inspiration.
I've submitted on a PR for this and tested it out on our app.