Mislav Marohnić
2010-Sep-08 14:01 UTC
Rails 2.3.9 breaks sessions with Active Record or Memcache store
A Rails 2.3.9 app with Active Record or Memcache session store will never send the session ID cookie to a client if the client doesn''t send any HTTP cookies in its requests. Rails integration tests didn''t catch this because they always send the HTTP_COOKIE header, even if it''s empty. This is a huge bug, as it can break keeping sessions on sites which don''t set any additional cookies for its visitors. Visitors without existing cookies will not be able to log in, for example (this is how I discovered the bug). Lighthouse ticket and fix is here.<https://rails.lighthouseapp.com/projects/8994-ruby-on-rails/tickets/5581-session-cookie-not-sent-with-activerecord-or-memcache-store-in-rails-239> An unobtrusive monkeypatch for existing apps can also be found on the ticket. -- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Core" group. To post to this group, send email to rubyonrails-core@googlegroups.com. To unsubscribe from this group, send email to rubyonrails-core+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/rubyonrails-core?hl=en.
Prem Sichanugrist
2010-Sep-08 14:02 UTC
Re: Rails 2.3.9 breaks sessions with Active Record or Memcache store
Thanks for catching that. will get someone to apply that asap. :( On 8 ก.ย. 2553, at 21:01, Mislav Marohnić wrote:> A Rails 2.3.9 app with Active Record or Memcache session store will never send the session ID cookie to a client if the client doesn''t send any HTTP cookies in its requests. Rails integration tests didn''t catch this because they always send the HTTP_COOKIE header, even if it''s empty. > > This is a huge bug, as it can break keeping sessions on sites which don''t set any additional cookies for its visitors. Visitors without existing cookies will not be able to log in, for example (this is how I discovered the bug). > > Lighthouse ticket and fix is here. > > An unobtrusive monkeypatch for existing apps can also be found on the ticket. > > -- > You received this message because you are subscribed to the Google Groups "Ruby on Rails: Core" group. > To post to this group, send email to rubyonrails-core@googlegroups.com. > To unsubscribe from this group, send email to rubyonrails-core+unsubscribe@googlegroups.com. > For more options, visit this group at http://groups.google.com/group/rubyonrails-core?hl=en.-- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Core" group. To post to this group, send email to rubyonrails-core@googlegroups.com. To unsubscribe from this group, send email to rubyonrails-core+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/rubyonrails-core?hl=en.
tschundeee
2010-Sep-26 00:30 UTC
Re: Rails 2.3.9 breaks sessions with Active Record or Memcache store
You are absolutely right! I just wanted to post this error right now... My simple session login doesn''t work anymore due to rails 2.3.9 :( On Sep 8, 4:01 pm, Mislav Marohnić <mislav.maroh...@gmail.com> wrote: ... -- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Core" group. To post to this group, send email to rubyonrails-core@googlegroups.com. To unsubscribe from this group, send email to rubyonrails-core+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/rubyonrails-core?hl=en.