#4743 Session Cookie breaks if used with custom cookie in rails 2.3.8 - Ruby on Rails

Type	To find
responsible:me	tickets assigned to you
tagged:"@high"	tickets tagged @high
milestone:next	tickets in the upcoming milestone
state:invalid	tickets with the state invalid
created:"last week"	tickets created last week
sort:number, importance, updated	tickets sorted by #, importance or updated
Combine keywords for powerful searching.
Use advanced searching »

This project is archived and is in readonly mode.

#4743 ✓resolved

Session Cookie breaks if used with custom cookie in rails 2.3.8

Reported by Noah | June 1st, 2010 @ 05:20 AM | in 2.3.9

Attached is a patch with a simple failing test demonstrating how a session cookie breaks when also using a custom cookie. A newline is prepended to the session cookie which breaks the session. The newline is added because when rails adds the session cookie, it's expecting a Set-Cookie header in the form of a string, separated by newlines. In fact, rails gets an array of cookies so the newline is prepended to the session cookie.

I see there's a suspiciously similar Issue #4714. Reverting to rack 1.0 seems to fix the issue. Not sure where the responsibility lies for this issue.

    def set_session_value_and_cookie
      cookies["foo"] = "bar"
      session[:foo] = "bar"
      render :text => Rack::Utils.escape(Verifier.generate(session.to_hash))
    end

failing_cookie_test.patch 1.4 KB

Comments and changes to this ticket

You flagged this item as spam.
Noah June 1st, 2010 @ 05:22 AM
- Tag set to “rails 2.3.8, bug, cookie_store, session”
You flagged this item as spam.
Jesse Storimer June 1st, 2010 @ 01:41 PM
The issue is due to a change in Rack. Though the responsibility lies with Rails I think.

In ActionController::Response#convert_cookies! the Set-Cookie header is converted to an Array. ActionController then calls Response#finish before returning the response object. In Rack 1.0.1 #finish called Rack::Utils#to_hash on the header hash. This changed all of the values in the header hash to strings, undoing the change made by ActionController. Subsequently the CookieStore was expecting to receive a string and prepending a \n.

In Rack 1.1 #finish doesn't touch the headers, it leaves them as they are. So Rails converts the Set-Cookie header to an Array and its still an array when it gets back up to the CookieStore, so there's no need to prepend a \n.

This is the Rack commit with the change: http://github.com/rack/rack/commit/8f836f406ca10274c6465e17c2b56462...
- custom-cookie-fix.diff 2.1 KB
You flagged this item as spam.
Jesse Storimer June 1st, 2010 @ 01:42 PM
- Tag changed from “rails 2.3.8, bug, cookie_store, session” to “rails 2.3.8, bug, cookie_store, patch, session”
You flagged this item as spam.
TMorgan99 June 1st, 2010 @ 10:51 PM
I have posted a patch on ticket #99 in rack.
Please apply the patch and retest; it appears to have cleared my issue.
You flagged this item as spam.
Noah June 2nd, 2010 @ 03:39 AM
Jesse -

That works. Any reason you're interpolating the cookie? Is it not a string already?
You flagged this item as spam.
Jesse Storimer June 2nd, 2010 @ 03:14 PM
So my patch solved the issue but it produced some weird behaviour. ActionController::Response#convert_cookies! converts the Set-Cookie header to an array if there are any cookies in there, if not, it just leaves it as nil.

In my patch above, if there is already an existing cookie array the CookieStore will append the session cookie to that array. If the Set-Cookie header is empty then the CookieStore will assign it the value of the cookie.

So in one case the value of Set-Cookie is an Array, in the other case its a String. That seems wrong. Since ActionController::Response#convert_cookies! sets the header to an array I will ensure that thats preserved up the middleware stack in CookieStore. Patch attached.

@Noah: interpolation removed. Thanks for noticing.

@TMorgan99: Applying that patch fixes the problem, but it fixes the wrong thing. Rack is not the culprit here. Check the commit message of rack/8f836f406ca10274c6465e17c2b5646257a8412b, it's a good patch. It's up to Rails to update its own middleware to work with the new changes in Rack.
- custom-cookie-fix-preserve-array.diff 2.9 KB
You flagged this item as spam.
Brian Hogan June 4th, 2010 @ 04:31 PM
This seems to work for my apps as well. Can we get this looked at by core ASAP?
Ryan Bigg June 7th, 2010 @ 06:00 AM
- State changed from “new” to “open”
+1 this patch works for me.
Jeremy Kemper June 8th, 2010 @ 09:11 PM
- Milestone set to “2.3.9”
- Assigned user set to “josh”
You flagged this item as spam.
Aaron Gibralter June 9th, 2010 @ 06:07 PM
A temporary hack: http://gist.github.com/431811
You flagged this item as spam.
Gravis June 19th, 2010 @ 04:04 PM
@Aaron: Thanks, the gist saved me a lot a time. It fixed an issue with cucumber-rails as well : http://github.com/aslakhellesoy/cucumber-rails/issues/#issue/40
Repository June 22nd, 2010 @ 10:09 PM
- State changed from “open” to “resolved”
(from [85b6d79d8a17fdef667770e31b44ac6647f8b584]) CookieStore should preserve the Set-Cookie header Array [#4743 state:resolved]

Signed-off-by: Jeremy Kemper jeremy@bitsweat.net
http://github.com/rails/rails/commit/85b6d79d8a17fdef667770e31b44ac...
You flagged this item as spam.
omarqureshi September 22nd, 2010 @ 12:36 PM
Just had a very similar bug with ARStore - https://rails.lighthouseapp.com/projects/8994-ruby-on-rails/tickets...

The fix is similar, perhaps the code which sets the cookie needs to be pulled out into its own method which can be then reused by both?

What do you guys think?