Why is that an opt-in option? No codebase should ever be willing to create a session id (any db/cache id/key) based on request details. The fact you have to opt in to a very basic security measure is, once again, a joke. Let's be clear: by default, Rails is willing to assign a client any session id based on its own request?!?!
Based on the other reply to my comment... no I'm not OK. I am not OK with Rails' pathetic attempts at the most basic level of security. Rails' developers are fucking amateurs. I'm sorry, but that's pure fact. Rails' developers don't know the first thing about the HTTP protocol.
NOBODY EVER CREATES A DB/CACHE KEY BASED ON THE VALUE OF A CLIENT-PROVIDED COOKIE (or unvalidated GET/POST). Anyone who argues against this should be permanently banned from IT/Technology. Just... fuck off... you have no clue.
