Fix CookieStore so session.session_id returns stable value
Reported by Rich Collins | June 4th, 2008 @ 02:08 AM
session.session_id returns the cookie value stored under _myapp_session instead of the session_id originally generated when the session was created. This causes Juggernaut (and possibly other plugins) to fail.
I modified CookieStore to store the session_id along with the session data and cryptographic signature as follows:
session_id--encoded data--signature
Comments and changes to this ticket
-
Pratik June 4th, 2008 @ 05:02 PM
- → State changed from “new” to “incomplete”
The patch doen't apply anymore.
-
-
Rich Collins June 5th, 2008 @ 12:48 AM
- no changes were found...
-
-
Pratik July 2nd, 2008 @ 01:46 AM
- → Tag changed from “” to “actionpack bug patch tested”
- → State changed from “new” to “wontfix”
How does this cause juggernaut to fail ?
Also, this will cause all existing session cookies to be invalid. So, cannot really apply this patch as it is.
Not sure if we really need session id when session is stored in cookies. Worth discussing in core mailing list nevertheless.
Thanks.
-
blj July 6th, 2008 @ 09:45 PM
This dynamic session.session_id is madness. A stable session id will be useful. Even the forgery protections are failing, which I tracked to the session.session_id being dynamic. What really is going on with this thing?
-
-
Lourens Naude July 23rd, 2008 @ 04:55 AM
Please Login or create a free account to add a new comment.
You can update this ticket by sending an email to from your email client. (help)
Create your profile
Help contribute to this project by taking a few moments to create your personal profile. Create your profile »
Source available from github
Repository is at http://github.com/rails/rails
Check out the development master (Edge Rails):
git clone git://github.com/rails/rails.git
Creating or reviewing a patch
See the contributor guide.
Creating a feature request
Please don't. If you want a new feature in Rails, you'll have to pull up your sleeves and get busy yourself. Or convince someone else to do it. See the contributor guide on how to get going. But posting them here is just going to lead to ticket root.
Creating a bug report
When creating a bug report, be sure to include as much relevant information as possible. Post the code sample that causes the problem. Preferably, alter the unit tests and show through either changed or added tests how the expected behavior is not occuring.
Security vulnerabilities should be reported via an email to security@rubyonrails.org, do not use trac for reporting security vulnerabilities. All content in trac is publicly available as soon as it is posted.
Then don't get your hopes up. Unless you have a "Code Red, Mission Critical, The World is Coming to an End" kinda bug, you're creating this ticket in the hope that others with the same problem will be able to collaborate with you on solving it. Do not expect that the ticket automatically will see any activity or that others will jump to fix it. Creating a ticket like this is mostly to help yourself start on the path of fixing the problem and for others to sign on to with a "I'm having this problem too"..
Nathan Esquenazi