Security Scanner Flags Broken Authentication in arubis/sample_rails_app Ruby on Rails Code

An automated security scan has exposed a potentially exploitable authentication flaw in a live Ruby on Rails application. The RSOLV scanner identified a MEDIUM-severity Broken Authentication vulnerability in the repository `arubis/sample_rails_app`, pinpointing a critical lapse in session management that could allow attackers to hijack user sessions.

The vulnerability is isolated to a single file, `app/helpers/sessions_helper.rb`. Specifically, line 5, which sets the user session ID (`session[:user_id] = user.id`), fails to regenerate the session after a successful login. This omission creates a session fixation risk, where an attacker could force a user to authenticate using a session identifier the attacker already knows, thereby gaining unauthorized access to the user's account. The finding is classified under CWE-384 and maps directly to the OWASP Top 10 category for Identification and Authentication Failures.

While only one instance was found, the flaw resides on the application's `master` branch, indicating it is present in the primary codebase. The scanner's 80% confidence rating suggests a high probability of a genuine security issue. This finding places immediate pressure on the repository maintainers to review and remediate the code according to security best practices to prevent potential account compromise. The automated report, generated on March 29, 2026, serves as a direct warning that the application's authentication mechanism is not fully secure.