#2287 2.3.2 sessions creating multiple session table entries - Ruby on Rails

Type	To find
responsible:me	tickets assigned to you
tagged:"@high"	tickets tagged @high
milestone:next	tickets in the upcoming milestone
state:invalid	tickets with the state invalid
created:"last week"	tickets created last week
sort:number, importance, updated	tickets sorted by #, importance or updated
Combine keywords for powerful searching.
Use advanced searching »

This project is archived and is in readonly mode.

#2287 ✓invalid

2.3.2 sessions creating multiple session table entries

Reported by ihunter | March 18th, 2009 @ 05:03 PM | in 2.3.4

When using 2.3.2 each subsequent request to the server creates a separate session table entry. Thus, it's always inserting and not selecting (woot, I know SQL).

Downgrading to 2.2.2 fixes this, so I'm assuming it's a bug or user naivete. Would like to know which.

Comments and changes to this ticket

You flagged this item as spam.
Steve Madsen March 24th, 2009 @ 03:58 PM
I am seeing this problem, too. I'm upgrading an app from 2.2.2 to 2.3.2.1. I am using the ActiveRecord session store again for testing, having removed the work-around required for 2.2.2 to use the cookie store.

Switching to the cookie store for the testing environment allows my tests to pass, but of course this isn't a solution since I want to test the same environment used in development and production mode.

Any test that issues more than one request, with something stored in the session along the way, will cause failures in later requests. One obvious example is a sign-in test: the flag that says the user is logged in is not preserved across requests because different sessions are used in each request.

One of my tests does exactly this: post a request to sign the user in, verify the response is a redirect, then follow that redirect to get the user's home page. Two requests, and two sessions created. Here's a snapshot from the sessions table in the database after running just that one test method:
```
lists-test=# select session_id, updated_at from sessions order by updated_at desc limit 5;
            session_id            |         updated_at         
----------------------------------+----------------------------
 e591ff4a7d8154c1b66de759f7b62c39 | 2009-03-24 15:53:25.401372
 a553d8a054eb57ed5c4e3f2d6200206d | 2009-03-24 15:53:25.381225
 f79d178ee908b9a8975c086cc89bf2cf | 2009-03-24 15:47:49.441628
 97cf79ecbd7553437d75cf4a275e2f4a | 2009-03-24 15:47:49.426625
 53aa5d1991980f7eed640f909604dc30 | 2009-03-24 15:36:44.721254
```
You flagged this item as spam.
Steve Madsen March 24th, 2009 @ 06:20 PM
- Tag set to “2.3.2, activerecord-store, session”
You flagged this item as spam.
Steve Madsen March 24th, 2009 @ 07:01 PM
As part of my sign-in process, once I know I have a good username/password combination, I call reset_session before putting anything in it. I added this long ago as protection against session fixation attacks.

If I comment this out, ActiveRecord store works again.

Cookie store works just fine with reset_session in place.
CancelProfileIsBroken August 5th, 2009 @ 03:46 PM
- Tag changed from “2.3.2, activerecord-store, session” to “2.3.2, activerecord-store, bugmash, session”
You flagged this item as spam.
Elise Huard August 8th, 2009 @ 11:25 PM
unable to reproduce with mysql, 2-3-stable and ruby 1.8.6

-1 active_record_store is a case of coupling between active record and actionpack, so this will probably become irrelevant in rails 3 ?
You flagged this item as spam.
Arthur Zapparoli August 9th, 2009 @ 12:21 AM
I don't know if this is really a bug. Calling reset_session should reset all the session information (even the session_id), hence the new session entry in the database. Cookie store works cause it doesn't need to check for the session_id, since the session is on users (browser) side. I'm wrong?
Jeremy Kemper August 9th, 2009 @ 02:41 AM
- State changed from “new” to “invalid”
- Tag changed from “2.3.2, activerecord-store, bugmash, session” to “2.3.2, activerecord-store, session”
You flagged this item as spam.
ian (at cocodot) August 9th, 2009 @ 02:47 AM
It's been a while, but I remember this being an issue regardless of whether reset_session was called or not. This shouldn't be invalid because at least two people were able to verify that it is an issue, unless it's being moved to invalid because it's fixed in 3.0
You flagged this item as spam.
John Pignata August 9th, 2009 @ 02:55 AM
- Tag changed from “2.3.2, activerecord-store, session” to “2.3.2, activerecord-store, bugmash, session”
-1 - can't reproduce this using sessions with 2.3.2 and active record store.
You flagged this item as spam.
Kieran P August 9th, 2009 @ 05:40 AM
- Tag changed from “2.3.2, activerecord-store, bugmash, session” to “2.3.2, activerecord-store, session”
You flagged this item as spam.
Steve Madsen August 9th, 2009 @ 07:13 PM
This may have something to do with upgrading a 2.2 app to 2.3. I created a brand-new 2.3 app in an attempt to create an isolated example showing the bug, and cannot.
Jeremy Kemper August 9th, 2009 @ 07:15 PM
- Assigned user set to “josh”
- Milestone changed from “2.x” to “2.3.4”
Please reopen with a failing test case if reproducible.
You flagged this item as spam.
bingbing March 26th, 2011 @ 01:59 AM
louis vuitton watches