This project is archived and is in readonly mode.

reset_session Doesn't Result In New Session Id Being Applied Via Set-Cookie
Reported by Matt Bauer | December 19th, 2008 @ 05:49 AM
After calling reset_session in a controller the session is properly reset and set to nil. However, the session cookie value isn't updated and as a result, a subsequent request from the browser sends the old session id. This results in the old session being retrieved and appearing as if reset_session didn't work. Prior to the recent Rack integration the following was observed:
A request to a session destroy action that called reset_session would send a cookie like:
Cookie _pas_session=BAh7CjoQX2N...
and Rails would respond with a Set-Cookie header like:
Set-Cookie _pas_session=BAh7BiIKZmx...
After the Rack integration of late, this has changed to:
A request to a session destroy action that called reset_session would send a cookie like:
Cookie _pas_session=BAh7CjoQX2N...
and now Rails doesn't respond with a Set-Cookie header. Again, this results in the browser resending the old cookie on the subsequent request.
Comments and changes to this ticket
- 
         josh December 19th, 2008 @ 05:57 AM- Milestone cleared.
- State changed from new to open
 Definitely something I need to address. You are running Edge, right? Lots of rack session changes went in very recently. Also, if you can come up with a fix, can you try to put together a failing unit test. Check out actionpack/test/controller/session/cookie_store 
- 
            
         Matt Bauer December 19th, 2008 @ 06:01 AMYes, I'm currently running the very latest commit. I'm also in the process of working on cookie_store_test trying to recreate the bug. I'm hopeful I can get a patch together yet tonite. Shouldn't be a problem once I can create the failing test. 
- 
            
         Matt Bauer December 19th, 2008 @ 08:06 AMI had a little more time to investigate this. I wasn't able to create a test to recreate the behavior I'm seeing. I was able to debug it a bit more. I can get the proper behavior of: Set-Cookie: session_key=1221362112abcd.. after a reset_session if I place something in the session after the call to reset_session. I thought it was the equals check of: unless original_session == env[ENV_SESSION_KEY] in cookie_store/activerecord_store but when I force this to fail and generate the cookie each time, the problem didn't go away. I'm not sure where else the cookie header is set. I do know reset_session only works only if you place something in the new session. 
- 
         josh December 19th, 2008 @ 04:30 PMAh, it doesn't want to write an empty session. There are a few behaviors we want to preserve as well: - Don't load or write a new session if the session hash is never accessed (lazy loading)
- Don't write the session cookie if it is the same as the original
- For DB stores, don't write the session object back to memcache or AR if the session has not changed
- Only write an empty session if the session existed at the beginning of the session, but now is empty. You deleted all the keys or you called reset_session
 
- 
            
         Matt Bauer December 20th, 2008 @ 06:52 PM- Tag changed from rack, session to patch, rack, session
 Added a reset! and reset? to SessionHash. 
- 
         josh December 20th, 2008 @ 08:05 PMCool, I think this is on the right track but we can't assume @env['rack.session'] will respond to reset!. This should work with other Rack stores as well. Could we just check? if env[ENV_SESSION_KEY].loaded? && env[ENV_SESSION_KEY] != original_valueUpdated Looks like this will work, patching right now. if !session_data.is_a?(AbstractStore::SessionHash) || session_data.send(:loaded?)
- 
         Repository December 20th, 2008 @ 08:38 PM- State changed from open to resolved
 (from [7b249b67e9df9f375eaad9e6eb41be73338faaa7]) Fix reset_session with lazy cookie stores [#1601 state:resolved] Signed-off-by: Joshua Peek josh@joshpeek.com http://github.com/rails/rails/co... 
- 
            
         Yury Kotlyarov February 18th, 2009 @ 10:32 PMdoesn't work for me. in mongrel works after adding session[:is_new] = true but in passenger still restores old session. solved by headers['Set-Cookie'] = '' after reset_session call 
- 
            
         Duff OMelia February 19th, 2009 @ 03:23 PMreset_session seems to be working perfectly for me using mongrel as well. In passenger though, I can't seem to logout of my site. I used git bisect and I'm able to logout perfectly fine in Passenger up until this commit: http://github.com/rails/rails/co... I haven't yet determined what it is in that commit (or if it's something that Passenger needs to update or has already updated.) I'm using 2.06 of passenger which I think is the latest. 
- 
            
         
- 
            
         Mislav March 3rd, 2009 @ 02:28 PMThis seems to be a bug with Passenger: reset_session fails only with Passenger 2.0.6, not with Mongrel. Upgrading to edge Passenger solves the issue for me 
- 
            
         Kip Cole March 9th, 2009 @ 02:29 AMI think this is the same (or related) issue as cookie_store session object not being serialized if it is only written, not read in a request. This is the behaviour with Phusion 2.0.6. The cookie is serialized properly in Mongrel with the same code. As a workaround I add a before filter to the app to access the session object, which appears to then result in the correct serialization with Phusion. This is on current edge rails. 
- 
            
         Kip Cole March 9th, 2009 @ 03:23 AMHmm, i was incorrect. Adding the before_filter to access the session does not work around the Phusion issue. 
- 
            
         Randy Schmidt March 9th, 2009 @ 03:52 AMIs this flying under the radar because it's marked as resolved? I'm having the same issues as everybody above on rails 2.3.1. I'm still poking around so I don't have anything of value to add. 
- 
            
         thedarkone March 9th, 2009 @ 02:41 PMPre 2.1 "Passengers" are not compatible with Rails 2.3.x. See: http://blog.phusion.nl/2009/03/0... "What’s new in 2.1.1? Support for Rails 2.3" 
- 
            
        almightylinuxgod (at me) February 18th, 2011 @ 04:25 AM- Importance changed from  to 
 Just wondering if this resolution was in 3.0.4, or 3.0.5 
Create your profile
Help contribute to this project by taking a few moments to create your personal profile. Create your profile »
<h2 style="font-size: 14px">Tickets have moved to Github</h2>
The new ticket tracker is available at <a href="https://github.com/rails/rails/issues">https://github.com/rails/rails/issues</a>
People watching this ticket
Attachments
Referenced by
- 
         1601 
          reset_session Doesn't Result In New Session Id Being Applied Via Set-Cookie
        (from [7b249b67e9df9f375eaad9e6eb41be73338faaa7]) Fix
res... 1601 
          reset_session Doesn't Result In New Session Id Being Applied Via Set-Cookie
        (from [7b249b67e9df9f375eaad9e6eb41be73338faaa7]) Fix
res...
- 
         2173 
          Security: reset_session doesn't work under some conditions (session fixation possible)
        This bug is similiar to #1601. 2173 
          Security: reset_session doesn't work under some conditions (session fixation possible)
        This bug is similiar to #1601.
 josh
      josh
 Matt Bauer
      Matt Bauer
 Mislav
      Mislav