This project is archived and is in readonly mode.

#2073 ✓wontfix
Peter Nash

:attr_accessible nil breaks AR session store

Reported by Peter Nash | February 25th, 2009 @ 03:41 PM

I'm not sure if this is a bug as such but it's a change that's arisen in edge but wasn't in 2.3 RC1 and earlier.

If you configure your session store as :active_record_store and also include

ActiveRecord::Base.send(:attr_accessible, nil)

in your initializers then sessions break.

Specifically, the session records in the database are stored with a blank "session_id" column and "session" in the controller is empty.

To reproduce, build a trivial Rails application (or use an existing one) with Active Record session store, add ActiveRecord::Base.send(:attr_accessible, nil) to the initializers and clear any existing sessions from the browser and db. On each request one more session records will be generated with an empty session_id column.

Comments and changes to this ticket

  • josh
  • josh

    josh February 25th, 2009 @ 06:34 PM

    • State changed from “new” to “wontfix”

    I'm not sure this is a good idea in general. If you add ActiveRecord::Base.send(:attr_accessible, nil) to base no AR attributes will be able to be saved on any model.

    I would think the same issue would have existed in any version of Rails.

  • Peter Nash

    Peter Nash February 25th, 2009 @ 10:29 PM

    The reason for adding ActiveRecord::Base.send(:attr_accessible, nil) is so that the default behaviour of all application model classes is to NOT allow updates to to attributes from params unless access is specifically allowed with :attr_accessible in each model. This way it relies on the programmer to explicitly declare which attributes can be updated from parameter hashes. I know that there are varying opinions about whether that's a good thing to enforce but in the past setting this did not break any of the core Rails classes. For background on why I prefer to "whitelist" attr_accessible see

  • Peter Nash

    Peter Nash February 26th, 2009 @ 12:01 AM

    I meant to add that using ActiveRecord::Base.send(:attr_accessible, nil) to enforce the use of attr_accessible in models used to work fine in 2.1, 2.2 and 2.3RC1 - it's only on Edge that it breaks AR sessions. However, if anyone else is affected by this, an alternative strategy of auditing for the use of attr_accessible in models instead of enforcing it is detailed here

  • keith_shetler (at hotmail)

    keith_shetler (at hotmail) July 10th, 2009 @ 05:57 PM

    This appears in 2.3.2. The work-around:

    ActiveRecord::Base.send(:attr_accessible, nil)
    ActiveRecord::Base.send(:attr_accessible, :session_id)

    This correctly allows they system to set the :session_id attribute.

Create your profile

Help contribute to this project by taking a few moments to create your personal profile. Create your profile »

<h2 style="font-size: 14px">Tickets have moved to Github</h2>

The new ticket tracker is available at <a href=""></a>

People watching this ticket