We recently encountered some users that had an empty sessionid and therefore where logged in as other users, to fix this (the reason why the ids where empty is still unknown….) we now forbid blank session ids.

# users with blank session id get logged in as other users / share session 
#-> forbid empty session ids
# TEST: set _session_id cookie to "" it should be removed/replaced
class ActionController::Session::AbstractStore
  def load_session_with_blank_id_protection(*args)
    id, data = load_session_without_blank_id_protection(*args)
    return [nil, {}] if id.blank?
    [id, data]
  end
  alias_method_chain :load_session, :blank_id_protection
end