The Wire · Showcase
ACTIVERECORD-SESSION_STORE DROPS RAILS 7.1 SUPPORT AND PATCHES SESSION FIXATION VULNERABILITY
By RepoJournal · Filed · About Rails
The session store gem shipped breaking changes overnight, severing Rails 7.1 support and closing a critical session fixation hole that could let attackers extend sessions indefinitely.
ActiveRecord Session Store is shipping major cleanup this cycle [1]. The gem is dropping Rails 7.1 support entirely and removing deprecated ssid fallback code [2], signaling a push toward newer versions for any teams still on the old release train. More importantly, the trim task now prevents session fixation by removing sessions created before a cutoff period [3], closing a documented attack vector where an attacker could extend a session forever. The deprecator itself has been removed since there's nothing left to deprecate [4]. Over in GlobalID, a recent change to how Rails uses the library broke integrations on non-ActiveRecord objects, prompting maintainers to surface the requirement that custom models must define a `where` method higher in the README [5]. This caught at least one production user off guard. Meanwhile, across the rails/rails repository, maintainers are quietly improving developer experience: the guides now show controllers before views in the request lifecycle order [6], ellipses in code examples are being commented to prevent copy-paste syntax errors [7], and several guide references have been fixed [8] [9]. Ruby 4.0.6 has been added to the devcontainer matrix [10], keeping the local dev experience current.
Action items
- → If running ActiveRecord Session Store on Rails 7.1, plan migration to Rails 7.2+ before next major release cycle rails/activerecord-session_store [plan]
- → If using GlobalID with custom models, ensure your models implement the `where` method rails/globalid [monitor]
- → Review session store trim task configuration to ensure session fixation countermeasures are active rails/activerecord-session_store [plan]
References
- [1] Drop support to Rails 7.1 rails/activerecord-session_store
- [2] Remove deprecated ssid fallback code rails/activerecord-session_store
- [3] Improvoves the trim trask to prevent session fixation. rails/activerecord-session_store
- [4] Remove deprecator now that we don't have anything to deprecate rails/activerecord-session_store
- [5] Document necessity of model defining `where` higher up in README ↗ rails/globalid
- [6] Change the order of Views and Controllers in the guides ↗ rails/rails
- [7] Comment ellipsis in guides examples ↗ rails/rails
- [8] Fix the broken #with reference rails/rails
- [9] Fix settings navigation test in authentication guide rails/rails
- [10] Add Ruby version: 4.0.6 ↗ rails/devcontainer