This project is archived and is in readonly mode.

#6763 new
Chris Corbyn

Deleting a cookie and calling reset_session in the same controller action does not send new session cookie

Reported by Chris Corbyn | May 2nd, 2011 @ 08:43 AM

Rails 3.0.7, ruby-1.9.2 (via RVM). Take the following code:

class LoginController < ApplicationController
    # ... SNIP ... 
    
    def destroy
        cookies.delete(:secureusertokens)
        reset_session
        redirect_to root_url
    end
end

This is simply a logout. It resets the session and deletes any "remember me" cookie that may be set.

Unfortunately, while a new session ID is generated, the Set-Cookie: header lacks this information (presumably because the session logic has a reference to some stale cookie data, and the controller overwrites it).

The session key is just SESSID in these headers.

In the request:

Cookie: hiddenalerts=site_vrfy_124258; __utmz=REMOVED_INFO.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); elpriv=REMOVED_INFO; SESSID=b39a9a89bb6a39ea91b620fe0da392ed; __utma=REMOVED_INFO; __utmc=REMOVED_INFO; __utmb=REMOVED_INFO

And in the response (no mention of the newly generated session ID):

Set-Cookie: secureusertokens=; path=/; expires=Thu, 01-Jan-1970 00:00:00 GMT

Now if I remove the call to cookies.delete(...) in the controller.

In the request (identical):

Cookie: hiddenalerts=site_vrfy_124258; __utmz=REMOVED_INFO.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); elpriv=REMOVED_INFO; SESSID=b39a9a89bb6a39ea91b620fe0da392ed; __utma=REMOVED_INFO; __utmc=REMOVED_INFO; __utmb=REMOVED_INFO

And in the response (correct!!):

Set-Cookie: SESSID=50640523cf32b5b0fe8c93eb16aba6dc; path=/; HttpOnly

It seems that I can either have the new session ID sent, or the "remember me" cookie deleted, but not both. I can work around this by manually sending the new cookie, but it seems like a bug to me ;)

I have my own custom SessionStore (MemCache + MySQL), but it does not set these cookies, that happens elsewhere.

No comments found

Create your profile

Help contribute to this project by taking a few moments to create your personal profile. Create your profile »

<h2 style="font-size: 14px">Tickets have moved to Github</h2>

The new ticket tracker is available at <a href="https://github.com/rails/rails/issues">https://github.com/rails/rails/issues</a>

People watching this ticket

Pages