This project is archived and is in readonly mode.

#2532 ✓stale
Erik Bryn

ActiveRecord session store uses invalid cookie-provided session IDs

Reported by Erik Bryn | April 21st, 2009 @ 05:03 AM | in 3.x

Needed more session storage, so I had to switch from the cookie to ActiveRecord session store. On the first request after changing the store in config/environment.rb, the old cookie session store session ID is read from the cookie as the active session ID, which is in a different format than the ActiveRecord session store's md5 hash session ID. Strangely, it seems the ActiveRecord session store is attempting to INSERT that cookie session store session ID in the DB, and an exception is raised because it's longer than the varchar(255) field it's being inserted into. Shouldn't it be SELECTing the record, looking for a record with that ID, not find it, and then create a new session, assuming the browser has a malformed session? Why are we trusting the cookie's session ID as valid for DB insertion?

Comments and changes to this ticket

Create your profile

Help contribute to this project by taking a few moments to create your personal profile. Create your profile »

<h2 style="font-size: 14px">Tickets have moved to Github</h2>

The new ticket tracker is available at <a href=""></a>