CookieStore & session.session_id
Reported by blj | July 7th, 2008 @ 02:47 PM | in 2.x
I believe there is a bug in the session.session_id while using CookieStore. This keeps changing as we add and remove stuff out of cookie store. This leads to other problems, for e.g. the module RequestForgeryProtection.
Add something to the flash before you render a form and try submit it. Do you get InvalidAuthenticityToken error?
Comments and changes to this ticket
-
Bryan Helmkamp August 25th, 2008 @ 04:26 PM
- → Tag changed from “” to “2.0-stable cookie-store request-forgery-protection session_id”
Looks like the RequestForgeryProtection is setup to not depend on the session_id value when using a CookieStore. Instead, it uses a csrf_id value inside the cookie.
That said, we see intermittent InvalidAuthenticityToken exceptions on production that we haven't been able to reproduce or debug, and are trying to track down the cause.
blj -- What problem are you seeing, specifically?
-
blj August 26th, 2008 @ 08:51 AM
As far as I remember, the forgery protection was using the session_id, was not sure at which point the csfr_id was added. In my opinion changing session_id is unnecessary and it happens only when using cookie session store.
-
Joshua Peek November 27th, 2008 @ 03:18 AM
- → State changed from “new” to “stale”
Please Login or create a free account to add a new comment.
You can update this ticket by sending an email to from your email client. (help)
Create your profile
Help contribute to this project by taking a few moments to create your personal profile. Create your profile »
Source available from github
The Git repository resides at http://github.com/rails
Check out the current development trunk (Edge Rails) with:
git clone git://github.com/rails/rails.git
Creating or reviewing a patch
See the contributor guide.
Creating a feature request
Please don't. If you want a new feature in Rails, you'll have to pull up your sleeves and get busy yourself. Or convince someone else to do it. See the contributor guide on how to get going. But posting them here is just going to lead to ticket root.
Creating a bug report
When creating a bug report, be sure to include as much relevant information as possible. Post the code sample that causes the problem. Preferably, alter the unit tests and show through either changed or added tests how the expected behavior is not occuring.
Security vulnerabilities should be reported via an email to security@rubyonrails.org, do not use trac for reporting security vulnerabilities. All content in trac is publicly available as soon as it is posted.
Then don't get your hopes up. Unless you have a "Code Red, Mission Critical, The World is Coming to an End" kinda bug, you're creating this ticket in the hope that others with the same problem will be able to collaborate with you on solving it. Do not expect that the ticket automatically will see any activity or that others will jump to fix it. Creating a ticket like this is mostly to help yourself start on the path of fixing the problem and for others to sign on to with a "I'm having this problem too".
Luke Melia