Nicolas Florentin

As a temporary fix, you can replace `Rails.application.config.active_record.belongs_to_required_by_default = true` with `ActiveRecord::Base.belongs_to_required_by_default = true` in `config/initializers/active_record_belongs_to_required_by_default.rb` but I'm not sure if that could produce any side effect.

Here an example of a similar issue addressed for devise https://github.com/plataformatec/devise/commit/c2c74b0a39238e7d997486814a1c8f75fdaf276f

The issue is still there in version 5.4.2.

Hi @wafendy I think this thread will help you to understand why this gem is useful : https://github.com/heartcombo/devise/issues/3031 TLDR: if you use cookie as session_store, this is no real logout,...

SSL make the cookie encrypted but it could be reused if you have it. In [Session Storage section](https://edgeguides.rubyonrails.org/security.html#session-storage) of the doc, you can read : > Session cookies do not...

Ok thanks for your explanation but how do you explain that cookie can still be used after a log out on fresh rails/devise setup with cookie store as session store...

@mockdeep Thanks for your answer. I was like you when I first saw the issue, I could not believe that the "issue" was still here after years. I tested it...

@mockdeep I totally agree with you. As you say it is not a very important vulnerability. I realized it only after years of coding with rails, because one of my...

@vkononov @simonfranzen did you find a solution to make it worked in controller actions ? I have the same problem (rails 6.1, runs locally on Mac OS X), it works...

hi @vkononov Thanks for your answer and sorry for the lack of details in my message. I don't have a sample project, I'm under a huge load of work so...