#2485 Rails always resend the same cookie with active_record sessions - Ruby on Rails

Type	To find
responsible:me	tickets assigned to you
tagged:"@high"	tickets tagged @high
milestone:next	tickets in the upcoming milestone
state:invalid	tickets with the state invalid
created:"last week"	tickets created last week
sort:number, importance, updated	tickets sorted by #, importance or updated
Combine keywords for powerful searching.
Use advanced searching »

This project is archived and is in readonly mode.

#2485 ✓resolved

Rails always resend the same cookie with active_record sessions

Reported by Vincent Danjean | April 12th, 2009 @ 07:20 PM | in 3.0.2

Hi,

I see that a rails application with active_record session storage always resend the same cookie to the web browser for each request. When using cookies session storage, one cookie is sent at the first connection but reloading the page (or going to another page) does not trigger the resending of the cookie.

Step to reproduce : 1) create an empty rails application 2) configure connection to database (if needed) 3) create a controller with a view 4) run WEBrick and use a browser (where you need to ack each cookie) => you get one cookie the first time you load the view page => you do not get a cookie any more if you reload the page (or if you go to another page) 5) enable ActiveRecord session: rake db:sessions:create rake db:migrate and edit config/environment.rb to enable it 6) run WEBrick and use a browser (where you need to ack each cookie) => you get the same cookie each time you load or reload a page !

I tested this behavior with rails 2.1 and 2.2 (not tested with rails 2.3) Can someone tell me how to avoid the resending of the same cookie with active_record session storage ?

Regards,

Vincent

Comments and changes to this ticket

Prem Sichanugrist (sikachu) January 20th, 2010 @ 04:06 PM
- State changed from “new” to “verified”
- Tag set to “2.3.6, 3.0, actionpack, sessions”
- Assigned user set to “Prem Sichanugrist (sikachu)”
+1 on both 3.0 and 2.3.5. Will provide a patch soon.

Also, I found this behavior in every session_store. Global patching will be fine

donncha February 8th, 2010 @ 03:22 AM

Possibly??

module ActionController #:nodoc:
  module Cookies

  protected
    # Returns the cookie container, which operates as described above.
    def cookies
-      @cookies ||= CookieJar.new(self)
+      CookieJar.new(self)
    end
  end
end

Jeremy Kemper May 4th, 2010 @ 06:48 PM
- Milestone changed from “2.x” to “3.x”
[bulk edit]
Rizwan Reza May 16th, 2010 @ 05:23 PM
- Tag changed from “2.3.6, 3.0, actionpack, sessions” to “2.3.6, 3.0, actionpack, bugmash, sessions”
- State changed from “verified” to “open”
Rohit Arondekar June 24th, 2010 @ 11:50 AM
Any updates here? Can somebody please try and verify if this is still an issue on master.
Prem Sichanugrist (sikachu) June 24th, 2010 @ 02:35 PM
Hi,

I can verify that it still apply to current master. I was working on it, but didn't finish it.

Will come back and provide patch for it soon.
José Valim June 24th, 2010 @ 08:07 PM
What always resending the cookie is an issue?
José Valim June 24th, 2010 @ 08:11 PM
Sorry! For ActiveRecord store, since the cookie only contains the session_id, it does not make sense to send the same cookie every time. Yes, this should be fixed!
Prem Sichanugrist (sikachu) June 24th, 2010 @ 08:45 PM
Ok, so I've patched the abstract_store to check that the session_id value has been changed or not. If not, then it won't call the []= of cookie jar, which was resulted in sending the cookie back to user again.

Noted that I also checked that the expired is not set. If it does, it will always resend the session_id cookie regardless of whether it's already set or not, to extend the expire time.

I've attach the patch that cleanly apply on master. Patch for 2-3-stable hopefully will come soon.
- 0001-make-sure-that-rails-doesn-t-resent-session_id-cooki.patch 3.1 KB
José Valim June 24th, 2010 @ 08:54 PM
- Milestone cleared.
- Assigned user changed from “Prem Sichanugrist (sikachu)” to “José Valim”
Prem Sichanugrist (sikachu) June 24th, 2010 @ 09:24 PM
- Tag changed from “2.3.6, 3.0, actionpack, bugmash, sessions” to “2.3.x, 3.0, actionpack, bugmash, sessions”
It isn't quite hard to backport, so here it is
- resend_cookie_path_on_2-3-stable.patch 4.4 KB
Repository June 25th, 2010 @ 08:43 AM
- State changed from “open” to “resolved”
(from [617e94658ddc3f71c42fc4f8c2346f87ff106bbe]) Make sure that Rails doesn't resent session_id cookie over and over again if it's already there [#2485 state:resolved]

This apply to only Active Record store and Memcached store, as they both store only the session_id, which will be unchanged, in the cookie.

Signed-off-by: José Valim jose.valim@gmail.com
http://github.com/rails/rails/commit/617e94658ddc3f71c42fc4f8c2346f...
Repository June 25th, 2010 @ 08:49 AM
(from [f8f365346ec55ef388eaa43e30bd7629c375d274]) Make sure that Rails doesn't resent session_id cookie over and over again if it's already there [#2485 state:resolved]

This apply to only Active Record store and Memcached store, as they both store only the session_id, which will be unchanged, in the cookie.

Signed-off-by: José Valim jose.valim@gmail.com
http://github.com/rails/rails/commit/f8f365346ec55ef388eaa43e30bd76...
You flagged this item as spam.
jsman September 8th, 2010 @ 01:16 AM
- Importance changed from “” to “”
This commit broke the ActiveRecord session store in 2.3.9. If there is currently no cookie with a session id present at the client side, no new cookie is ever created and every request will generate a new session id (but no cookie).
- session_fix_2-3-stable.diff 1.2 KB
Jeremy Kemper October 15th, 2010 @ 11:01 PM
- Milestone set to “3.0.2”
[bulk edit]