This project is archived and is in readonly mode.

#3360 ✓stale
Tarmo Lehtpuu

message_verifier.verify - fails when cookie doesn't contain '--'

Reported by Tarmo Lehtpuu | October 9th, 2009 @ 04:48 PM

data, digest = signed_message.split("--")

The above line in message_verifier.verify causes the below error when signed_message doesn't contain '--'.

You have a nil object when you didn't expect it!
You might have expected an instance of Array.
The error occurred while evaluating nil.length
/Library/Ruby/Gems/1.8/gems/activesupport-2.3.4/lib/active_support/message_verifier.rb:43:in `secure_compare'
/Library/Ruby/Gems/1.8/gems/activesupport-2.3.4/lib/active_support/message_verifier.rb:28:in `verify'
/Library/Ruby/Gems/1.8/gems/actionpack-2.3.4/lib/action_controller/session/cookie_store.rb:156:in `unmarshal'
/Library/Ruby/Gems/1.8/gems/actionpack-2.3.4/lib/action_controller/session/cookie_store.rb:145:in `load_session'
/Library/Ruby/Gems/1.8/gems/actionpack-2.3.4/lib/action_controller/session/abstract_store.rb:62:in `send'
/Library/Ruby/Gems/1.8/gems/actionpack-2.3.4/lib/action_controller/session/abstract_store.rb:62:in `load!'
/Library/Ruby/Gems/1.8/gems/actionpack-2.3.4/lib/action_controller/session/abstract_store.rb:70:in `stale_session_check!'
/Library/Ruby/Gems/1.8/gems/actionpack-2.3.4/lib/action_controller/session/abstract_store.rb:61:in `load!'
/Library/Ruby/Gems/1.8/gems/actionpack-2.3.4/lib/action_controller/session/abstract_store.rb:28:in `[]'

This happens for example when switching from memcached based session store to cookie session store all existing sessions will be invalid until browser is at least restarted.

As a temporary workaround we used the following before filter to delete invalid cookies:

before_filter :delete_broken_cookies

def delete_broken_cookies
  if cookies['_some_session_id'] && cookies["_some_session_id"] !=~ /--/
    cookies.delete '_some_session_id'    
    redirect to root_path and return false

Comments and changes to this ticket

  • Tarmo Lehtpuu

    Tarmo Lehtpuu October 9th, 2009 @ 04:56 PM

    • Tag set to active_support, cookiestore, cookie_store, session
  • Jolyon

    Jolyon November 12th, 2009 @ 06:39 PM

    Not sure the regular expression test above is quite right. This worked for me:

    cookies['_some_session_id'] && ! (cookies["_some_session_id"] =~ /--/)
  • Todd Persen

    Todd Persen November 23rd, 2009 @ 05:52 AM

    I think you want to use !~ to achieve the desired effect. Also, the redirect_to was missing the underscore. The cleaned up version should look like:

    before_filter :delete_broken_cookies
    def delete_broken_cookies
      if cookies['_some_session_id'] && cookies['_some_session_id'] !~ /--/
        cookies.delete '_some_session_id'    
        redirect_to root_path and return false
  • Wesley Moore

    Wesley Moore December 14th, 2009 @ 10:39 PM

    This is the solution I used:

      def delete_broken_cookies
        if cookies['_Radio_session'] && !cookies['_Radio_session'].include?('--')
  • Rohit Arondekar

    Rohit Arondekar October 8th, 2010 @ 03:39 AM

    • State changed from “new” to “stale”
    • Importance changed from “” to “”

    Marking ticket as stale. If this is still an issue please leave a comment with suggested changes, creating a patch with tests, rebasing an existing patch or just confirming the issue on a latest release or master/branches.

Create your profile

Help contribute to this project by taking a few moments to create your personal profile. Create your profile »

<h2 style="font-size: 14px">Tickets have moved to Github</h2>

The new ticket tracker is available at <a href=""></a>