From f70ccc2eea8af01b58c08cb74341907271cab51f Mon Sep 17 00:00:00 2001
From: Toms Mikoss <toms.mikoss@gmail.com>
Date: Wed, 28 Oct 2020 12:59:34 +0200
Subject: [PATCH] Update security guide section on session expirity [ci skip]

* Avoid string interpolation in methods describing database access
* `delete_all` no longer takes condition param since Rails 5.1
---
 guides/source/security.md | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/guides/source/security.md b/guides/source/security.md
index 9c9972b57d..4efb8042bf 100644
--- a/guides/source/security.md
+++ b/guides/source/security.md
@@ -220,7 +220,7 @@ class Session < ApplicationRecord
       time = time.split.inject { |count, unit| count.to_i.send(unit) }
     end
 
-    delete_all "updated_at < '#{time.ago.to_s(:db)}'"
+    where("updated_at < ?", time.ago.to_s(:db)).delete_all
   end
 end
 ```
@@ -228,8 +228,7 @@ end
 The section about session fixation introduced the problem of maintained sessions. An attacker maintaining a session every five minutes can keep the session alive forever, although you are expiring sessions. A simple solution for this would be to add a `created_at` column to the sessions table. Now you can delete sessions that were created a long time ago. Use this line in the sweep method above:
 
 ```ruby
-delete_all "updated_at < '#{time.ago.to_s(:db)}' OR
-  created_at < '#{2.days.ago.to_s(:db)}'"
+where("updated_at < ? OR created_at < ?", time.ago.to_s(:db), 2.days.ago.to_s(:db)).delete_all
 ```
 
 Cross-Site Request Forgery (CSRF)