CSRF Vulnerability in Sessions Helper Exposes Ruby on Rails App to Session Hijacking

A security scan has flagged a medium-severity Cross-Site Request Forgery (CSRF) vulnerability within a Ruby on Rails application, pinpointing a critical misconfiguration in session management. The flaw resides in the `app/helpers/sessions_helper.rb` file, where two permanent cookies are being set without essential security flags. Specifically, the `remember_token` and encrypted `user_id` cookies lack the `secure`, `httponly`, and `samesite` attributes, leaving the application's authentication mechanism exposed to potential session hijacking and unauthorized actions performed on behalf of logged-in users.

The vulnerability, classified under CWE-614 and OWASP A05:2021 (Security Misconfiguration), presents two distinct instances on lines 11 and 12 of the helper file. The absence of the `secure` flag means cookies can be transmitted over unencrypted HTTP connections, while missing `httponly` flags allow client-side scripts to access them, increasing the risk of theft via cross-site scripting (XSS). The lack of `samesite` restrictions fails to mitigate CSRF attacks where a malicious site triggers authenticated requests to the vulnerable application.

This configuration oversight creates a tangible risk for any user-dependent functionality. An attacker could exploit these missing defenses to forge requests, potentially leading to account compromise, unauthorized data changes, or privilege escalation. The finding, generated with 80% confidence, serves as a direct warning to development and security teams to audit and harden their cookie-handling practices immediately to align with foundational web security standards.