This project is archived and is in readonly mode.
Inconsistent session cookie value from marshalled hash
Reported by Ben Alavi | May 8th, 2009 @ 04:11 AM | in 2.x
When using CookieStore there can be cases where the session cookie is inconsistent between requests. This is caused by marshalling an unmarshalling of a Hash of which the ordering is not guaranteed (nor consistent). The resulting marshalled value will be different causing a different value for the session cookie. However when unmarshalled it will still be the same hash so it does not effect the way the session is persistent unless you were relying on the session cookie to be persistent between requests (i.e. for a flash uploader).
i.e.
session[:foo] = 'bar'
session[:biz] = 'bam'
may unpredictably result in this:
>> Marshal.dump(:foo => 'bar', :biz => 'bam')
=> "\004\b{\a:\bbiz\"\bbam:\bfoo\"\bbar"
or this:
>> Marshal.dump(:biz => 'bam', :foo => 'bar')
=> "\004\b{\a:\bfoo\"\bbar:\bbiz\"\bbam"
The attached patch changes CookieStore to sort the hash into an array before marshalling, and to rebuild a hash from the sorted array on unmarshalling to avoid the inconsistent nature of a hash.
I could not find a way to duplicate the failing case in a test because it relies on how the hash ends up being marshalled, which is inconsistent, which is the whole problem in the first place.
Comments and changes to this ticket
-
Ben Alavi May 8th, 2009 @ 05:10 AM
After digging into this a lot more I can't find a reason why this should matter.
I'm pretty sure this is invalid.
-
Ben Alavi May 8th, 2009 @ 05:12 AM
- Tag changed from action_pack, cookie_store, patch to action_pack, cookie_store, invalid, patch
-
Ben Alavi May 8th, 2009 @ 05:46 AM
After playing with MessageVerifier more this is definitely invalid.
-
Frederick Cheung May 10th, 2009 @ 04:19 PM
- State changed from new to invalid
Create your profile
Help contribute to this project by taking a few moments to create your personal profile. Create your profile »
<h2 style="font-size: 14px">Tickets have moved to Github</h2>
The new ticket tracker is available at <a href="https://github.com/rails/rails/issues">https://github.com/rails/rails/issues</a>