CSRF Vulnerability in Sessions Helper Exposes User Authentication Tokens

A Cross-Site Request Forgery (CSRF) vulnerability has been identified within a key authentication file, posing a medium-severity risk to application security. The flaw resides in the `app/helpers/sessions_helper.rb` file, where two instances of improperly secured cookies could allow attackers to hijack user sessions. Specifically, the `cookies.permanent[:remember_token]` and `cookies.permanent.encrypted[:user_id]` are set without the critical security flags—`secure`, `httponly`, and `samesite`—leaving them exposed to potential forgery and theft.

The vulnerability is classified under CWE-614 and maps to the OWASP Top 10 category A05:2021 for Security Misconfiguration. With an 80% confidence rating, the issue indicates a clear deviation from established security best practices for handling sensitive session data. The absence of these flags means the cookies are not restricted to secure HTTPS connections, are accessible via client-side scripts, and lack protection against cross-site requests, fundamentally weakening the application's defense against session-based attacks.

This misconfiguration directly impacts the core user authentication mechanism. If exploited, it could lead to unauthorized account access, data breaches, and a compromise of user trust. The finding underscores a critical need for immediate code review and remediation to enforce proper cookie security settings, a fundamental step in safeguarding against a prevalent web application attack vector.