Authentication is not secure #2
Description
The app treats all sessions as valid. There is no mechanism to expire a session (that does not depend on client-side cooperation or regenerating the Rails app secret.)
If this becomes an issue for any practical purpose, then it is time to implement real authentication (Devise or OmniAuth, maybe also Pundit).