0

I am implementing web app using rails 4.2.0 and ruby 2.2.0 and facing problem that any time request in done new session is set. In that case I cannot save anything to session since it's gone. Also that leads to situation that authenticity token cannot be checked.

For testing purpose forgery protection is disabled in ApplicationController, so that's not reason why session is reset. 

class ApplicationController < ActionController::Base
  #protect_from_forgery with: :null_session
  skip_before_action :verify_authenticity_token `
end

I am using active record store to save session, but same happens for cookie store:

MyApp::Application.config.session_store :active_record_store, :key => '_myapp_session', domain: :all, tld_length: 2

Every time request is done new entry to sessions table is inserted with new sessions_id and session cookie in browser points to new session.

Any ideas what could reset session?

This happens only in production environment. In development everything is fine.

lunatic
  • 1
  • 1
  • 1
    Did you ever figure out your problem? I am having the same issue now. Doesn't really make sense :/ – Andy Sep 24 '15 at 15:14
  • Well, I didn't figure out the problem, but the problem is gone somehow. It was strange. Did you try to delete session cookie and reload the page? Try and see what happens. – lunatic Oct 01 '15 at 05:58

1 Answers1

0

Your issue is due to the call to skip_before_action :verify_authenticity_token; if the authenticity token is not verified, Rails will reset the session. You also want to re-enable protect_from_forgery.

I've also seen AJAX requests without an authenticity token to cause the session to reset, again more detail here: http://www.kalzumeus.com/2011/11/17/i-saw-an-extremely-subtle-bug-today-and-i-just-have-to-tell-someone/

Ref: https://stackoverflow.com/a/11943243/449342

Community
  • 1
  • 1
Michael De Silva
  • 3,808
  • 1
  • 20
  • 24
  • I removed `skip_before_action :verify_authenticity_token` and uncommented `protect_from_forgery` but the problem still persist. – lunatic Aug 20 '15 at 08:27
  • The problem for the first place was that I had `ActionController::InvalidAuthenticityToken` exeptions during POST request. Which is obvious, CSRF check are performed during POST requests. I have `authenticity_token` hidden field in my form, so it was not the issue. I still think that the issue is that session is reset after every request. – lunatic Aug 20 '15 at 08:38