This project is archived and is in readonly mode.

#1823 ✓resolved
Scott Taylor

Response and request objects don't use the same session

Reported by Scott Taylor | January 29th, 2009 @ 09:49 PM | in 2.x

When a controller calls reset_session, the request, response, and controller's session objects should all be cleared. This is a current bug in rails HEAD @ (8761663a). It causes the following spec to fail:

Here's a test driven patch:

I've also attached a diff.

Comments and changes to this ticket

  • Jonathan George
  • Scott Taylor

    Scott Taylor January 29th, 2009 @ 10:58 PM

    This should be for the 2.3 milestone.

  • Scott Taylor

    Scott Taylor January 29th, 2009 @ 11:30 PM

    • Tag set to bug, patch, session
    • Title changed from “[Bug][Patch] response and request objects don't use the same session” to “[Bug] response and request objects don't use the same session”
  • Pratik

    Pratik January 29th, 2009 @ 11:36 PM

    • Assigned user set to “josh”
    • Title changed from “[Bug] response and request objects don't use the same session” to “Response and request objects don't use the same session”
  • Repository

    Repository January 30th, 2009 @ 01:34 AM

    • State changed from “new” to “resolved”

    (from [2dedb5b03ab88a1c31068f71c8d4cad7c5a5d9ae]) Controller, response, and request should all refer to same session, even after a call to session_reset [#1823 state:resolved] Signed-off-by: Joshua Peek

  • Scott Taylor

    Scott Taylor January 30th, 2009 @ 02:13 AM

    Thanks Josh.

    This is truly a new era in rails. I've never had a patch applied so quickly.

    Thanks again.

  • Nolan Eakins

    Nolan Eakins February 11th, 2009 @ 04:34 AM

    Just curious, but does this patch happen to fix a bug I noticed last night on the 2.3 tag when using Mongrel where I'd use the cookie store, change the session, and it wouldn't get sent back to the client?

    Using Passenger and Thin I didn't have this problem.

  • Scott Taylor

    Scott Taylor February 11th, 2009 @ 04:42 AM

    No. I have been experiencing exactly the same issue, and had thought that this would solve it (it didn't, though).

    As far as I can tell, mongrel calls the old rails deprecated cgi code, where thin uses the new rack adapter. The session bug doesn't occur when using any server with the rack adapter.

    I'm not sure why there isn't a big fat warning (Kernel#warn) when the old cgi module is clearly deprecated - it says so right there in the code.

    I think this is a pretty serious regression for 2.3.

    I'll run rdebug on mongrel_rails one more time to try to isolate it. Feel free to file a more proper bug report.

  • Scott Taylor

    Scott Taylor February 11th, 2009 @ 06:52 AM

    Just to be clear, the bug is that the response session and the request session don't stay the same when using the cgi module. Here's a pastie of the debug session:

    Notice that the same object is used for the session before calling reset_session, but afterwards the object is different.

    I'm working on a patch for this right now.

  • Nolan Eakins
  • Scott Taylor

    Scott Taylor February 13th, 2009 @ 01:47 AM


    Great. Thanks. usually you can just refer to other tickets by ticket number: #1957

    I've got a patch in the works - the test suite is fully passing, but I know a few integration tests are missing as it doesn't quite seem to work in my project yet. Hopefully I can pull something together tonight.

  • Nolan Eakins

    Nolan Eakins February 13th, 2009 @ 02:03 AM

    I'd be willing to apply your patch when you think it's ready to make sure it works. Seems like we're the only two who've run into this problem and that chose to be vocal about it.

  • Josh Pencheon

    Josh Pencheon February 14th, 2009 @ 09:30 PM

    I'm having some problems with the session as well, but the other way round - it's working fine with mongrel (script/server) but doesn't work on Passenger.

    Calling reset_session in the controller doesn't seem to have any effect - I'm using the Authlogic gem, and am able to log in, but can't log out again!

    I'm afraid I'm going away tomorrow, so won't be around to follow this up for a few days...

  • Scott Taylor

    Scott Taylor February 16th, 2009 @ 01:25 AM

    Josh Pencheon:

    Have you tried daemonizing mongrel? Does that affect the session state?

  • Marius Mathiesen

    Marius Mathiesen February 25th, 2009 @ 09:57 AM

    I'm having the same problem as Josh Pencheon. What I'm trying to achieve is to issue two cookies upon login: the regular session cookie and an additional cookie that gets picked up by Varnished to avoid caching for authenticated users.

    As soon as I try setting two cookies to the user, only one of the cookies get sent in the header. The other one is sent in the response body and doesn't get picked up by the browser. That is, there's a "Set-Cookie..." in the actual contents, not in the header as it should be.

    Tried running the same app thru Mongrel (both daemonized and not), and it works like a charm.

    Kind of reminds me of the PHP days, when PHP would spit out a warning if one tries to send headers after the server has started sending the actual payload.

  • Josh Pencheon

    Josh Pencheon March 16th, 2009 @ 07:24 PM

    Just to confirm, this seems to now be fixed with Rails 2.3.2 and Passenger 2.1.2. Thanks everyone. :-)

Create your profile

Help contribute to this project by taking a few moments to create your personal profile. Create your profile »

<h2 style="font-size: 14px">Tickets have moved to Github</h2>

The new ticket tracker is available at <a href=""></a>


Referenced by