#328 Fix CookieStore so session.session_id returns stable value - Ruby on Rails

Type	To find
responsible:me	tickets assigned to you
tagged:"@high"	tickets tagged @high
milestone:next	tickets in the upcoming milestone
state:invalid	tickets with the state invalid
created:"last week"	tickets created last week
sort:number, importance, updated	tickets sorted by #, importance or updated
Combine keywords for powerful searching.
Use advanced searching »

This project is archived and is in readonly mode.

#328 ✓wontfix

Fix CookieStore so session.session_id returns stable value

Reported by Rich Collins | June 4th, 2008 @ 02:08 AM

session.session_id returns the cookie value stored under _myapp_session instead of the session_id originally generated when the session was created. This causes Juggernaut (and possibly other plugins) to fail.

I modified CookieStore to store the session_id along with the session data and cryptographic signature as follows:

session_id--encoded data--signature

add_session_id_to_cookie_store.diff 7.1 KB

Comments and changes to this ticket

Pratik June 4th, 2008 @ 05:02 PM
- State changed from “new” to “incomplete”
The patch doen't apply anymore.
You flagged this item as spam.
Rich Collins June 4th, 2008 @ 10:26 PM
- State changed from “incomplete” to “new”
How is that?
http://github.com/rails/rails/tr...
Still doesn't save the session_id in any way.
Rich Collins June 5th, 2008 @ 12:48 AM
- no changes were found...
- store_session_id_in_cookie_store.diff 7.1 KB
You flagged this item as spam.
Rich Collins June 5th, 2008 @ 02:27 AM
New patch
Pratik July 2nd, 2008 @ 01:46 AM
- State changed from “new” to “wontfix”
- Tag set to “actionpack, bug, patch, tested”
How does this cause juggernaut to fail ?
Also, this will cause all existing session cookies to be invalid. So, cannot really apply this patch as it is.
Not sure if we really need session id when session is stored in cookies. Worth discussing in core mailing list nevertheless.
Thanks.
You flagged this item as spam.
blj July 6th, 2008 @ 09:45 PM
This dynamic session.session_id is madness. A stable session id will be useful. Even the forgery protections are failing, which I tracked to the session.session_id being dynamic. What really is going on with this thing?
You flagged this item as spam.
blj July 7th, 2008 @ 10:10 AM
I cannot get to apply any of these patches.
You flagged this item as spam.
Lourens Naudé July 23rd, 2008 @ 04:55 AM
Another attempt at this here :
http://github.com/methodmissing/...
and
http://github.com/methodmissing/...
You flagged this item as spam.
Adam S January 15th, 2009 @ 07:32 AM
Invalidating old implementations has never been a reason not to apply a patch to Rails in the past... the solution is to deprecate or just make the change and let plugins etc cope. This is a change that makes sense, least surprise-wise, and therefore status should not be "wont-fix", but "incomplete".
Pratik January 15th, 2009 @ 02:39 PM
Adam : Please don't take the ticket status too seriously. And the way things stand now -- "making all existing session cookies invalid" -- it is indeed 'wontfix' until we have a new patch.
You flagged this item as spam.
Adam S January 16th, 2009 @ 01:57 AM
Umm, since I was looking for a solution to this... thought it might be useful for others.

I've found the intermediate "fix" is to just use ActiveRecordStore (other non-cookie stores might be ok too). With cookie store session.session_id returns the myapp_session cookie, but with ActiveRecordStore (and possibly others), session.session_id is a 32 char hash which can be used for DB lookups etc...

Before I found that out I had decided to just have a before_filter with:
```
require 'uuidtools'
session[:uuid] ||= UUID.random_create
```
Either way will work fine...