CSRF Vulnerability in Ruby on Rails Session Helper Exposes User Authentication

A security scan has flagged a Cross-Site Request Forgery (CSRF) vulnerability within a core authentication file of a Ruby on Rails application. The issue, classified with medium severity, centers on the `app/helpers/sessions_helper.rb` file, where two instances of cookie creation lack essential security flags. Specifically, the `cookies.permanent[:remember_token]` and `cookies.permanent.encrypted[:user_id]` assignments on lines 11 and 12 are missing the `secure`, `httponly`, and `samesite` attributes. This misconfiguration, mapped to CWE-614 and OWASP's A05:2021 (Security Misconfiguration), leaves the application's user session management open to potential exploitation.

The vulnerability directly impacts the application's authentication flow. Without the `secure` flag, cookies could be transmitted over unencrypted HTTP connections. The absence of `httponly` makes them accessible to client-side scripts, increasing the risk of theft via cross-site scripting (XSS). Missing `samesite` restrictions fails to guard against cross-origin requests, which is the core mechanism of a CSRF attack. An attacker could potentially forge requests to perform actions on behalf of an authenticated user without their consent.

While the immediate risk is assessed as medium, the location of the flaw—in a helper responsible for persistent login sessions—signals a systemic security oversight. The report, generated with 80% confidence, serves as a direct warning to development and security teams. Failure to implement the recommended fixes according to security best practices maintains an unnecessary attack surface, potentially compromising user accounts and the integrity of application state. This finding underscores the critical need for rigorous security configuration in foundational application components.