activerecord-session_store Timing Attack

The activerecord-session_store (aka Active Record Session Store) component
through 1.1.3 for Ruby on Rails does not use a constant-time approach when delivering
information about whether a guessed session ID is valid. Consequently, remote attackers
can leverage timing discrepancies to achieve a correct guess in a relatively short
amount of time. This is a related issue to CVE-2019-16782.

Recommendation

Users should upgrade to activerecord-session_store version 2.0.0 or later.