RepoJournal
Rails

@rails

Ruby on Rails — Shopify, Basecamp, GitHub all run on it

Pick a date

Topics: Ruby Full archive →

The Wire · Showcase

ACTIVERECORD-SESSION_STORE DROPS RAILS 7.1 SUPPORT AND PATCHES SESSION FIXATION VULNERABILITY

By RepoJournal · Filed · About Rails

The session store gem shipped breaking changes overnight, severing Rails 7.1 support and closing a critical session fixation hole that could let attackers extend sessions indefinitely.

ActiveRecord Session Store is shipping major cleanup this cycle [1]. The gem is dropping Rails 7.1 support entirely and removing deprecated ssid fallback code [2], signaling a push toward newer versions for any teams still on the old release train. More importantly, the trim task now prevents session fixation by removing sessions created before a cutoff period [3], closing a documented attack vector where an attacker could extend a session forever. The deprecator itself has been removed since there's nothing left to deprecate [4]. Over in GlobalID, a recent change to how Rails uses the library broke integrations on non-ActiveRecord objects, prompting maintainers to surface the requirement that custom models must define a `where` method higher in the README [5]. This caught at least one production user off guard. Meanwhile, across the rails/rails repository, maintainers are quietly improving developer experience: the guides now show controllers before views in the request lifecycle order [6], ellipses in code examples are being commented to prevent copy-paste syntax errors [7], and several guide references have been fixed [8] [9]. Ruby 4.0.6 has been added to the devcontainer matrix [10], keeping the local dev experience current.

Action items

References

  1. [1] Drop support to Rails 7.1 rails/activerecord-session_store
  2. [2] Remove deprecated ssid fallback code rails/activerecord-session_store
  3. [3] Improvoves the trim trask to prevent session fixation. rails/activerecord-session_store
  4. [4] Remove deprecator now that we don't have anything to deprecate rails/activerecord-session_store
  5. [5] Document necessity of model defining `where` higher up in README ↗ rails/globalid
  6. [6] Change the order of Views and Controllers in the guides ↗ rails/rails
  7. [7] Comment ellipsis in guides examples ↗ rails/rails
  8. [8] Fix the broken #with reference rails/rails
  9. [9] Fix settings navigation test in authentication guide rails/rails
  10. [10] Add Ruby version: 4.0.6 ↗ rails/devcontainer

Quick answers

What shipped in Rails on July 14, 2026?
The session store gem shipped breaking changes overnight, severing Rails 7.1 support and closing a critical session fixation hole that could let attackers extend sessions indefinitely. In total, 39 commits, 15 pull requests, and 3 releases landed.
Who contributed to Rails on July 14, 2026?
10 developers shipped this update, including Ruby on Rails Bot, Rafael Mendonça França, claudiob, p8, Niklas Haeusele, Lemayian JN, Iván Guardado Castro, and Hartley McGuire, and 2 more.
What were the notable Rails updates?
Drop support to Rails 7.1, Remove deprecated ssid fallback code, and Improvoves the trim trask to prevent session fixation.

More from @rails

Daily updates, in your inbox

Follow Rails

Ruby on Rails — Shopify, Basecamp, GitHub all run on it We'll email you a link to confirm first.

Free. Confirm via email. Unsubscribe in one click.

— or follow the whole beat:

Elsewhere on the wire