Rails Ruby on Rails

Rails 3.0.7, ruby-1.9.2 (via RVM). Take the following code:

class LoginController < ApplicationController
    # ... SNIP ... 
    
    def destroy
        cookies.delete(:secureusertokens)
        reset_session
        redirect_to root_url
    end
end

This is simply a logout. It resets the session and deletes any "remember me" cookie that may be set.

Unfortunately, while a new session ID is generated, the Set-Cookie: header lacks this information (presumably because the session logic has a reference to some stale cookie data, and the controller overwrites it).

The session key is just SESSID in these headers.

In the request:

Cookie: hiddenalerts=site_vrfy_124258; __utmz=REMOVED_INFO.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); elpriv=REMOVED_INFO; SESSID=b39a9a89bb6a39ea91b620fe0da392ed; __utma=REMOVED_INFO; __utmc=REMOVED_INFO; __utmb=REMOVED_INFO

And in the response (no mention of the newly generated session ID):

Set-Cookie: secureusertokens=; path=/; expires=Thu, 01-Jan-1970 00:00:00 GMT

Now if I remove the call to cookies.delete(...) in the controller.

In the request (identical):

Cookie: hiddenalerts=site_vrfy_124258; __utmz=REMOVED_INFO.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); elpriv=REMOVED_INFO; SESSID=b39a9a89bb6a39ea91b620fe0da392ed; __utma=REMOVED_INFO; __utmc=REMOVED_INFO; __utmb=REMOVED_INFO

And in the response (correct!!):

Set-Cookie: SESSID=50640523cf32b5b0fe8c93eb16aba6dc; path=/; HttpOnly

It seems that I can either have the new session ID sent, or the "remember me" cookie deleted, but not both. I can work around this by manually sending the new cookie, but it seems like a bug to me ;)

I have my own custom SessionStore (MemCache + MySQL), but it does not set these cookies, that happens elsewhere.