This project is archived and is in readonly mode.

#563 ✓stale

CookieStore & session.session_id

Reported by blj | July 7th, 2008 @ 02:47 PM | in 2.x

I believe there is a bug in the session.session_id while using CookieStore. This keeps changing as we add and remove stuff out of cookie store. This leads to other problems, for e.g. the module RequestForgeryProtection.

Add something to the flash before you render a form and try submit it. Do you get InvalidAuthenticityToken error?

Comments and changes to this ticket

  • Bryan Helmkamp

    Bryan Helmkamp August 25th, 2008 @ 04:26 PM

    • Tag set to 2.0-stable, cookie-store, request-forgery-protection, session_id

    Looks like the RequestForgeryProtection is setup to not depend on the session_id value when using a CookieStore. Instead, it uses a csrf_id value inside the cookie.

    That said, we see intermittent InvalidAuthenticityToken exceptions on production that we haven't been able to reproduce or debug, and are trying to track down the cause.

    blj -- What problem are you seeing, specifically?

  • blj

    blj August 26th, 2008 @ 08:51 AM

    As far as I remember, the forgery protection was using the session_id, was not sure at which point the csfr_id was added. In my opinion changing session_id is unnecessary and it happens only when using cookie session store.

  • josh

    josh November 27th, 2008 @ 03:18 AM

    • State changed from “new” to “stale”
  • Raza Ali

    Raza Ali November 9th, 2009 @ 06:07 AM

    Facing the same ActionController::InvalidAuthenticityToken exception on live server but unable to reproduce or debug properly, any suggestion?

    Environment details: Linux, Rails 2.3.4, Postgres DB.

Create your profile

Help contribute to this project by taking a few moments to create your personal profile. Create your profile »

<h2 style="font-size: 14px">Tickets have moved to Github</h2>

The new ticket tracker is available at <a href=""></a>