[jtchang]

How many people use rack? Is it almost always used when deploying rails apps?

[tiegz]

Rails has been built around Rack for a couple years, but I think its sessions are safe from this Rack vulnerability. Rails' CookieStore class inherits from Rack::Session::Cookie, but it overwrites the unpacked_cookie_data() method which was open to a timing attack. Rails uses its own MessageVerifier class (https://github.com/rails/rails/blob/master/activesupport/lib...) to do a constant time comparison, which would avoid this attack.

Any other frameworks/libs that use Rack's session cookies should upgrade though, afaik.

[mikeryan]

Ruby based web apps, Sinatra is based on Rack and pretty popular for lighter apps.

[michaelfairley]

Almost all Ruby web apps are deployed on top of Rack.