This project is archived and is in readonly mode.

#4091 incomplete

ActiveRecord::SessionStore allows blank session_id

Reported by phan | March 2nd, 2010 @ 12:39 PM | in 3.0.6

ActiveRecord::SessionStore::Session does not check for empty session_id value. So when cookie_only = false and passing in empty session_key value, a session with empty session_id can be saved into db.

The problematic code seems to be in AbstractStore

     def load_session(env)
          request =
          sid = request.cookies[@key]
          unless @cookie_only
            sid ||= request.params[@key]
          sid, session = get_session(env, sid)
          [sid, session]

and in ActiveRecord::SessionStore

  def find_session(id)
        @@session_class.find_by_session_id(id) || => id, :data => {})

None of these check for empty value sid.

Comments and changes to this ticket

Create your profile

Help contribute to this project by taking a few moments to create your personal profile. Create your profile »

<h2 style="font-size: 14px">Tickets have moved to Github</h2>

The new ticket tracker is available at <a href=""></a>