This project is archived and is in readonly mode.

#328 ✓wontfix
Rich Collins

Fix CookieStore so session.session_id returns stable value

Reported by Rich Collins | June 4th, 2008 @ 02:08 AM

session.session_id returns the cookie value stored under _myapp_session instead of the session_id originally generated when the session was created. This causes Juggernaut (and possibly other plugins) to fail.

I modified CookieStore to store the session_id along with the session data and cryptographic signature as follows:

session_id--encoded data--signature

Comments and changes to this ticket

  • Pratik

    Pratik June 4th, 2008 @ 05:02 PM

    • State changed from “new” to “incomplete”

    The patch doen't apply anymore.

  • Rich Collins

    Rich Collins June 4th, 2008 @ 10:26 PM

    • State changed from “incomplete” to “new”

    How is that?

    Still doesn't save the session_id in any way.

  • Rich Collins
  • Rich Collins
  • Pratik

    Pratik July 2nd, 2008 @ 01:46 AM

    • State changed from “new” to “wontfix”
    • Tag set to actionpack, bug, patch, tested

    How does this cause juggernaut to fail ?

    Also, this will cause all existing session cookies to be invalid. So, cannot really apply this patch as it is.

    Not sure if we really need session id when session is stored in cookies. Worth discussing in core mailing list nevertheless.


  • blj

    blj July 6th, 2008 @ 09:45 PM

    This dynamic session.session_id is madness. A stable session id will be useful. Even the forgery protections are failing, which I tracked to the session.session_id being dynamic. What really is going on with this thing?

  • blj

    blj July 7th, 2008 @ 10:10 AM

    I cannot get to apply any of these patches.

  • Lourens Naudé
  • Adam S

    Adam S January 15th, 2009 @ 07:32 AM

    Invalidating old implementations has never been a reason not to apply a patch to Rails in the past... the solution is to deprecate or just make the change and let plugins etc cope. This is a change that makes sense, least surprise-wise, and therefore status should not be "wont-fix", but "incomplete".

  • Pratik

    Pratik January 15th, 2009 @ 02:39 PM

    Adam : Please don't take the ticket status too seriously. And the way things stand now -- "making all existing session cookies invalid" -- it is indeed 'wontfix' until we have a new patch.

  • Adam S

    Adam S January 16th, 2009 @ 01:57 AM

    Umm, since I was looking for a solution to this... thought it might be useful for others.

    I've found the intermediate "fix" is to just use ActiveRecordStore (other non-cookie stores might be ok too). With cookie store session.session_id returns the myapp_session cookie, but with ActiveRecordStore (and possibly others), session.session_id is a 32 char hash which can be used for DB lookups etc...

    Before I found that out I had decided to just have a before_filter with:

    require 'uuidtools'
    session[:uuid] ||= UUID.random_create

    Either way will work fine...

Create your profile

Help contribute to this project by taking a few moments to create your personal profile. Create your profile »

<h2 style="font-size: 14px">Tickets have moved to Github</h2>

The new ticket tracker is available at <a href=""></a>