This project is archived and is in readonly mode.

#4188 ✓invalid
yachi

class cache should reload in each user session

Reported by yachi | March 16th, 2010 @ 03:59 AM

Let's say i have to set the user's timezone in Time.zone when the user visit the site, but when an anonymous user comes, the timezone of the last user is still stored in Time class. So now i have to reset the Time.zone in every session in production mode. Is is an expected behaviour?
And another issue i hit about class cache is that i have some controllers that users could access without email confirmation after registration and the boolean of confirmation check is stored in UserSession(Authlogic) class. So once a user trigger the disable_confirmation_check, other users could access all the site without email confirmation.
These do not happen in development mode since classes are reloaded every time. It may cause security issues if developers are not aware of what they do are involved with class variables which is only persistence in production mode.

Comments and changes to this ticket

  • José Valim

    José Valim March 27th, 2010 @ 02:02 PM

    • State changed from “new” to “invalid”

    Yes, those are the expected behavior. If you store such values in the class, those behaviors will trigger. You need to work on your implementation.

Create your profile

Help contribute to this project by taking a few moments to create your personal profile. Create your profile »

<h2 style="font-size: 14px">Tickets have moved to Github</h2>

The new ticket tracker is available at <a href="https://github.com/rails/rails/issues">https://github.com/rails/rails/issues</a>

Pages