This project is archived and is in readonly mode.

#4091 incomplete
phan

ActiveRecord::SessionStore allows blank session_id

Reported by phan | March 2nd, 2010 @ 12:39 PM | in 3.0.6

ActiveRecord::SessionStore::Session does not check for empty session_id value. So when cookie_only = false and passing in empty session_key value, a session with empty session_id can be saved into db.

The problematic code seems to be in AbstractStore

     def load_session(env)
          request = Rack::Request.new(env)
          sid = request.cookies[@key]
          unless @cookie_only
            sid ||= request.params[@key]
          end
          sid, session = get_session(env, sid)
          [sid, session]
      end

and in ActiveRecord::SessionStore

  def find_session(id)
        @@session_class.find_by_session_id(id) ||
         @@session_class.new(:session_id => id, :data => {})
  end

None of these check for empty value sid.

Comments and changes to this ticket

Create your profile

Help contribute to this project by taking a few moments to create your personal profile. Create your profile »

<h2 style="font-size: 14px">Tickets have moved to Github</h2>

The new ticket tracker is available at <a href="https://github.com/rails/rails/issues">https://github.com/rails/rails/issues</a>

Pages