5

I am using the command "reset_session" as per here to avoid Session Fixation.

After running the command I would like to store the new generated session_id in the database but session[:session_id] is not defined.

I wrote a simple test:

class ApplicationController < ActionController::Base
  protect_from_forgery
  after_filter :after_test
  def after_test
    RAILS_DEFAULT_LOGGER.debug "Old Session: #{session.inspect}"
    reset_session
    session[:random_number] = ((rand*1000).to_i)
    RAILS_DEFAULT_LOGGER.debug "New Session: #{session.inspect}"
  end
end

Result in the log for two conescutives pages load is:

Started GET "/" for 127.0.0.1 at 2011-04-16 11:42:57 +0200
Processing by WelcomeController#index as HTML
Rendered welcome/index.html.erb within layouts/application (1.9ms)
Old Session: {"random_number"=>519, "session_id"=>"d17df62e286f20bd25e2714ee4f58020", "_csrf_token"=>"NkD5ZjG/RYLolfRy0ADmr+h+Sp2TXEOQlc6HhNpyp/g="}
New Session: {:random_number=>172}
Completed 200 OK in 7ms (Views: 6.4ms | ActiveRecord: 0.0ms)

and

Started GET "/" for 127.0.0.1 at 2011-04-16 11:42:58 +0200
Processing by WelcomeController#index as HTML
Rendered welcome/index.html.erb within layouts/application (2.0ms)
Old Session: {"random_number"=>172, "session_id"=>"54f46f520c80044a9f5475af78a05502", "_csrf_token"=>"9skbBEN35jQYRgH9oQVz1D5Hsi/o9l7fm7Qx9XDNETc="}
New Session: {:random_number=>497}
Completed 200 OK in 7ms (Views: 6.4ms | ActiveRecord: 0.0ms)

As you can see the random number (172) is properly passed to the second page but the New Session does not show the new session id.

I think the new session id ("54f46f520c80044a9f5475af78a05502") is generated after the "after_filter" but I don't know how to retrieve it.

Lucamug
  • 792
  • 5
  • 19

1 Answers1

0

Yes, rails has this problem. There is a ticket - https://rails.lighthouseapp.com/projects/8994/tickets/2200-session-support-broken

And as you can see it hasn't been resolved yet.

Vasiliy Ermolovich
  • 24,459
  • 5
  • 79
  • 77
  • This seems an old ticked related to old version of Rails and it is also marked as "risolved". Rails now seem handling the session well. This matter seems unrelated to the question. – Lucamug Apr 16 '11 at 17:53
  • No, it's related to the new Rails version too. `session_id` is not created after `reset_session`, only after new request. And it has not been resolved. – Vasiliy Ermolovich Apr 16 '11 at 17:59
  • Sorry, I read it better and you are right. I am surprised that this issue is still there. session_id is actually created during the reset_session request, but not just after running the reset_session command... – Lucamug Apr 16 '11 at 21:00