activerecord-session_store is vulnerable to information disclosure. The package does not use a constant-time approach when validating a session ID. Remote attackers are able to analyze the response time to discover session ID. This vulnerability is related issue to CVE-2019-16782.