Session management check is reporting a false positive when :active_record_store is used

[monfresh]

In my app, I have Rails.application.config.session_store :active_record_store in my config/initializers/session_store.rb, but dawnscanner still reported the Owasp Ror CheatSheet Session management issue.

It looks like this is due to the attack_pattern only looking for Application.config.session_store and not Rails.application.config.session_store

[jasnow]

An issue for me too.

[cameronbourgeois]

+1

[OlivierGrimard]

+1

[mariohmol]

HI everyone, i'm having this issue as well..

one question, if we use Rails.application.config.session_store ActionDispatch::Session::CacheStore this will have the same effect and will make the report to pass.. no?