Rails Ruby on Rails

When using the ActiveRecord session store with :cookie_only => false set, if the session ID is actually supplied via URL parameter and not via cookie, path parameters designated in the route do not appear in the params hash in the controller. That is, if we have the route

  get "test/aa/:x/:y" => 'test#aa'

and we fetch /test/aa/1/1?_sesstest_session=d069edd7e927526c0f33a060ff529e88 with no session cookie set, params[:x] and params[:y] are nil in the controller action.

I believe the problem is as follows: In ActionDispatch::Session::AbstractStore#extract_session_id (action_dispatch/middleware/session/abstract_store.rb:204), if sid is not fetched from a cookie and @cookie_only is false, then sid is fetched from request.params[@key]. This causes ActionDispatch::Http::Parameters#parameters (action_dispatch/http/parameters.rb:9) to be called to populate @env["action_dispatch.request.parameters"] in the request environment. However, the session store middleware runs before the router, so @env["action_dispatch.request.path_parameters"] has not yet been populated, and @env["action_dispatch.request.parameters"] is populated without the path parameters. Then later when ActionController::Instrumentation#process_action (action_controller/metal/instrumentation.rb:21) preps the filtered parameters, they come by filtering a parameter hash that should have the path parameters in it, but doesn't, so the path parameters never make it to the final controller.

A crude hack that works around the problem is to change ActionDispatch::Http::FilterParameters#filter_parameters as follows:

      def filtered_parameters
        @filtered_parameters ||= parameter_filter.filter(parameters_uncached)
      end

where ActionDispatch::Http::Parameters#parameters_uncached is a copy of ActionDispatch::Http::Parameters#parameters which forces rebuilding of the hash:

      def parameters_uncached
        @env["action_dispatch.request.parameters"] = begin
          params = request_parameters.merge(query_parameters)
          params.merge!(path_parameters)
          encode_params(params).with_indifferent_access
        end
      end

I don't know whether this is the right way to attack the problem, and I don't know yet whether this patch causes any other issues.

[Note: I require :cookie_only => false because my application is called on the user's behalf by a portal system which does not pass me cookies or permit me to set them. This setup also means that session fixation attacks are not possible without compromising the portal system.]