Skip to content
Critiq Docs

Search docs

Search documentation pages and rules

security.session-management

Do not store raw request params in session or cookies

Session and signed cookie stores should not persist raw `params` blobs that attackers can influence.

#Metadata

Rule ID
ruby.security.rails-unsafe-session-or-cookie-store
Severity
medium
Confidence
0.85
Languages
ruby
Presets
security, strict
Stability
stable
Applies to
block
Tags
rails, ruby, rules-catalog, security, session

#Why it matters

Writing `params` directly into `session` or `cookies` enables tampering, fixation, and oversized payload attacks unless additional integrity controls exist.

#Remediation

Store opaque identifiers, use signed or encrypted cookie jars appropriately, and validate any user-derived values before persistence.

#Repository path

The generated metadata points to critiq-rules/libs/rules/catalog/rules/ruby/ruby.security.rails-unsafe-session-or-cookie-store.rule.yaml.

Back to directoryOpen rule in repository