Session management check is reporting a false positive when :active_record_store is used

thesp0nge / dawnscanner

Dawn is a static analysis security scanner for ruby written web applications. It supports Sinatra, Padrino and Ruby on Rails frameworks.

MIT License

737 stars 86 forks source link

Session management check is reporting a false positive when :active_record_store is used #187

Open monfresh opened 8 years ago

monfresh commented 8 years ago

In my app, I have Rails.application.config.session_store :active_record_store in my config/initializers/session_store.rb, but dawnscanner still reported the Owasp Ror CheatSheet Session management issue.

It looks like this is due to the attack_pattern only looking for Application.config.session_store and not Rails.application.config.session_store

jasnow commented 8 years ago

An issue for me too.

cameronbourgeois commented 8 years ago

OlivierGrimard commented 6 years ago

mariohmol commented 3 years ago

HI everyone, i'm having this issue as well..

one question, if we use Rails.application.config.session_store ActionDispatch::Session::CacheStore this will have the same effect and will make the report to pass.. no?