Rails Ruby on Rails → 2.x

When using CookieStore there can be cases where the session cookie is inconsistent between requests. This is caused by marshalling an unmarshalling of a Hash of which the ordering is not guaranteed (nor consistent). The resulting marshalled value will be different causing a different value for the session cookie. However when unmarshalled it will still be the same hash so it does not effect the way the session is persistent unless you were relying on the session cookie to be persistent between requests (i.e. for a flash uploader).

i.e.

session[:foo] = 'bar'
session[:biz] = 'bam'

may unpredictably result in this:

>> Marshal.dump(:foo => 'bar', :biz => 'bam')
=> "\004\b{\a:\bbiz\"\bbam:\bfoo\"\bbar"

or this:

>> Marshal.dump(:biz => 'bam', :foo => 'bar')
=> "\004\b{\a:\bfoo\"\bbar:\bbiz\"\bbam"

The attached patch changes CookieStore to sort the hash into an array before marshalling, and to rebuild a hash from the sorted array on unmarshalling to avoid the inconsistent nature of a hash.

I could not find a way to duplicate the failing case in a test because it relies on how the hash ends up being marshalled, which is inconsistent, which is the whole problem in the first place.