This project is archived and is in readonly mode.
Session Cookie breaks if used with custom cookie in rails 2.3.8
Attached is a patch with a simple failing test demonstrating how a session cookie breaks when also using a custom cookie. A newline is prepended to the session cookie which breaks the session. The newline is added because when rails adds the session cookie, it's expecting a Set-Cookie header in the form of a string, separated by newlines. In fact, rails gets an array of cookies so the newline is prepended to the session cookie.
I see there's a suspiciously similar Issue #4714. Reverting to rack 1.0 seems to fix the issue. Not sure where the responsibility lies for this issue.
def set_session_value_and_cookie cookies["foo"] = "bar" session[:foo] = "bar" render :text => Rack::Utils.escape(Verifier.generate(session.to_hash)) end
Comments and changes to this ticket
The issue is due to a change in Rack. Though the responsibility lies with Rails I think.
In ActionController::Response#convert_cookies! the Set-Cookie header is converted to an Array. ActionController then calls Response#finish before returning the response object. In Rack 1.0.1 #finish called Rack::Utils#to_hash on the header hash. This changed all of the values in the header hash to strings, undoing the change made by ActionController. Subsequently the CookieStore was expecting to receive a string and prepending a \n.
In Rack 1.1 #finish doesn't touch the headers, it leaves them as they are. So Rails converts the Set-Cookie header to an Array and its still an array when it gets back up to the CookieStore, so there's no need to prepend a \n.
This is the Rack commit with the change: http://github.com/rack/rack/commit/8f836f406ca10274c6465e17c2b56462...
So my patch solved the issue but it produced some weird behaviour.
Set-Cookieheader to an array if there are any cookies in there, if not, it just leaves it as
In my patch above, if there is already an existing cookie array the
CookieStorewill append the session cookie to that array. If the
Set-Cookieheader is empty then the
CookieStorewill assign it the value of the cookie.
So in one case the value of
Set-Cookieis an Array, in the other case its a String. That seems wrong. Since
ActionController::Response#convert_cookies!sets the header to an array I will ensure that thats preserved up the middleware stack in
CookieStore. Patch attached.
@Noah: interpolation removed. Thanks for noticing.
@TMorgan99: Applying that patch fixes the problem, but it fixes the wrong thing. Rack is not the culprit here. Check the commit message of rack/8f836f406ca10274c6465e17c2b5646257a8412b, it's a good patch. It's up to Rails to update its own middleware to work with the new changes in Rack.
@Aaron: Thanks, the gist saved me a lot a time. It fixed an issue with cucumber-rails as well : http://github.com/aslakhellesoy/cucumber-rails/issues/#issue/40
- State changed from open to resolved
Signed-off-by: Jeremy Kemper email@example.com
Just had a very similar bug with ARStore - https://rails.lighthouseapp.com/projects/8994-ruby-on-rails/tickets...
The fix is similar, perhaps the code which sets the cookie needs to be pulled out into its own method which can be then reused by both?
What do you guys think?
Create your profile
Help contribute to this project by taking a few moments to create your personal profile. Create your profile »
<h2 style="font-size: 14px">Tickets have moved to Github</h2>
The new ticket tracker is available at <a href="https://github.com/rails/rails/issues">https://github.com/rails/rails/issues</a>