Incomplete fix to secure session store CVE-2019-16782 #145
Description
#125 switches to using the new ActionDispatch::Session::AbstractSecureStore but it does not change the key used to store sessions in redis. This means that there is still potentially a timing attack that could be used against looking up a session.
We should use the Rack::Session::SessionId#private_id as the key in redis storage and #public_id in the cookie.
It would seem reasonable to fallback to using the #public_id for sessions that have not yet been converted to use the #private_id for their key.
rails/activerecord-session_store#151 could be used for inspiration.
I've submitted on a PR for this and tested it out on our app.