Rails - Aug 2007 - Lost session with file upload

I''ve search this group for reports of this problem but didn''t
find anything useful.

I am doing the following with plain vanilla Rails 1.1.6 running WEBrick.

View:
<form action="/home/post_photo" method="POST"
enctype="multipart/form-data">
<p>Upload photo<br />
<input id="_photo" name="photo" type="file"
/><br />
<input name="commit" type="submit"
value="Upload" /></p>
<input name="obj_id" type="hidden" value="2"
/>
<input name="_session_id" type="hidden"
value="f1d1e1d3d6378fdaf05e9dad87c168cf" />
</form>

Controller:
def post_photo
  session[:photo_original_filename] = params[:photo][:original_filename]
  redirect_to :controller => ''home'', :action =>
''index''
end

Problem:
I login with a user account and have access to all member-only pages.
Then I access the file upload view, select a local file and press the [Upload]
button.
I was supposed to be redirected to /home/index where
session[:photo_original_filename] is displayed.
However I was redirected to the Login page instead. This was because my
authenticate user filter had
failed when it shouldn''t.

I figure the session may have changed so I recorded the session_id before and
after [Upload] button
was pressed. They were indeed different.

Next, I remove the enctype="multipart/form-data" part from the form
declaration. I perform the steps
again and was redirected /home/index, as expected (with my current session
remained in tact).

So, I don''t know what the problem is and do hope someone could provide
some insight.

Much appreciated,

-- Long



--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Talk" group.
To post to this group, send email to
rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
To unsubscribe from this group, send email to
rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
For more options, visit this group at
http://groups.google.com/group/rubyonrails-talk?hl=en
-~----------~----~----~----~------~----~------~--~---

Well, I tried a few more things and found the culprit:

<input name="_session_id" type="hidden"
value="f1d1e1d3d6378fdaf05e9dad87c168cf" />

I removed the above line and the file upload work as expected (well almost). It
seems there is
something quirky with enctype= and _session_id processing.

Bug: params[:photo][:original_filename] should be 
params[:photo].original_filename

Hope this will be useful to some for reference.

Cheers,

-- Long


----- Original Message ----- 
From: "Long" <long755-bJEeYj9oJeDQT0dZR+AlfA@public.gmane.org>
To: <rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org>
Sent: Friday, August 31, 2007 12:04 AM
Subject: [Rails] Lost session with file upload

>
> I''ve search this group for reports of this problem but
didn''t find anything useful.
>
> I am doing the following with plain vanilla Rails 1.1.6 running WEBrick.
>
> View:
> <form action="/home/post_photo" method="POST"
enctype="multipart/form-data">
> <p>Upload photo<br />
> <input id="_photo" name="photo"
type="file" /><br />
> <input name="commit" type="submit"
value="Upload" /></p>
> <input name="obj_id" type="hidden"
value="2" />
> <input name="_session_id" type="hidden"
value="f1d1e1d3d6378fdaf05e9dad87c168cf" />
> </form>
>
> Controller:
> def post_photo
>   session[:photo_original_filename] = params[:photo][:original_filename]
>   redirect_to :controller => ''home'', :action =>
''index''
> end
>
> Problem:
> I login with a user account and have access to all member-only pages.
> Then I access the file upload view, select a local file and press the
[Upload] button.
> I was supposed to be redirected to /home/index where
session[:photo_original_filename] is
displayed.
> However I was redirected to the Login page instead. This was because my
authenticate user filter
had
> failed when it shouldn''t.
>
> I figure the session may have changed so I recorded the session_id before
and after [Upload]
button
> was pressed. They were indeed different.
>
> Next, I remove the enctype="multipart/form-data" part from the
form declaration. I perform the
steps
> again and was redirected /home/index, as expected (with my current session
remained in tact).
>
> So, I don''t know what the problem is and do hope someone could
provide some insight.
>
> Much appreciated,
>
> -- Long
>

--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Talk" group.
To post to this group, send email to
rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
To unsubscribe from this group, send email to
rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
For more options, visit this group at
http://groups.google.com/group/rubyonrails-talk?hl=en
-~----------~----~----~----~------~----~------~--~---

Hi Long,
this is my personal experience, even if you don''t put _session_id in
any of your form, still the _session_id will be sent as part of each
request
which is stored in the browser side cookies, and these values are of
32-character length, and randomly generated by rails for each success-
full
authorization and they will be used for serialization of "session"
attribute of action_controller under the directory "tmp/sessions/".
This folder contains "ruby-session-#{_session_id}" files which will be
red at each request and de-serialized to populate session hash.
So, since you hard-coded the value of _session_id in your form it
always goto that file which contains this value as part of file name,
which obviously
takes you to a different session than what you usually expect.



On Sep 1, 4:36 am, "Long"
<long...-bJEeYj9oJeDQT0dZR+AlfA@public.gmane.org>
wrote:
> Well, I tried a few more things and found the culprit:
>
> <input name="_session_id" type="hidden"
value="f1d1e1d3d6378fdaf05e9dad87c168cf" />
>
> I removed the above line and the file upload work as expected (well
almost). It seems there is
> something quirky with enctype= and _session_id processing.
>
> Bug: params[:photo][:original_filename] should be 
params[:photo].original_filename
>
> Hope this will be useful to some for reference.
>
> Cheers,
>
> -- Long
>
>
>
> ----- Original Message -----
> From: "Long"
<long...-bJEeYj9oJeDQT0dZR+AlfA@public.gmane.org>
> To: <rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org>
> Sent: Friday, August 31, 2007 12:04 AM
> Subject: [Rails] Lost session with file upload
>
> > I''ve search this group for reports of this problem but
didn''t find anything useful.
>
> > I am doing the following with plain vanilla Rails 1.1.6 running
WEBrick.
>
> > View:
> > <form action="/home/post_photo" method="POST"
enctype="multipart/form-data">
> > <p>Upload photo<br />
> > <input id="_photo" name="photo"
type="file" /><br />
> > <input name="commit" type="submit"
value="Upload" /></p>
> > <input name="obj_id" type="hidden"
value="2" />
> > <input name="_session_id" type="hidden"
value="f1d1e1d3d6378fdaf05e9dad87c168cf" />
> > </form>
>
> > Controller:
> > def post_photo
> >   session[:photo_original_filename] =
params[:photo][:original_filename]
> >   redirect_to :controller => ''home'', :action
=> ''index''
> > end
>
> > Problem:
> > I login with a user account and have access to all member-only pages.
> > Then I access the file upload view, select a local file and press the
[Upload] button.
> > I was supposed to be redirected to /home/index where
session[:photo_original_filename] is
> displayed.
> > However I was redirected to the Login page instead. This was because
my authenticate user filter
> had
> > failed when it shouldn''t.
>
> > I figure the session may have changed so I recorded the session_id
before and after [Upload]
> button
> > was pressed. They were indeed different.
>
> > Next, I remove the enctype="multipart/form-data" part from
the form declaration. I perform the
> steps
> > again and was redirected /home/index, as expected (with my current
session remained in tact).
>
> > So, I don''t know what the problem is and do hope someone
could provide some insight.
>
> > Much appreciated,
>
> > -- Long

--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Talk" group.
To post to this group, send email to
rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
To unsubscribe from this group, send email to
rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
For more options, visit this group at
http://groups.google.com/group/rubyonrails-talk?hl=en
-~----------~----~----~----~------~----~------~--~---

If the user agent disables cookies, there''s not much point to trying
to use session, is there?

Rein

On Sep 1, 2:17 pm, "Long"
<long...-bJEeYj9oJeDQT0dZR+AlfA@public.gmane.org>
wrote:
> Hi,
>
> Sorry I should have written ''Generated View'' instead
since it was copied from my Browser using view
> source.
>
> I agree with your point, for browsers with default settings (cookies
enabled). However, I don''t
> think we can (should) trust browsers to pass cookies in all cases. That was
my reason for including
> the session id in a hidden field. It works fine for regular forms on
browsers with and without
> cookies support, and not just with Rails.
>
> I believe this is a Rails bug (at least in 1.1.6) and hope someone from
Rails Core can use what I''ve
> document here to investigate further.
>
> Regards,
>
> -- Long
>
>
>
> ----- Original Message -----
> From: "raghukumar"
<raghukumar.r...-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
> To: "Ruby on Rails: Talk"
<rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org>
> Sent: Saturday, September 01, 2007 9:30 AM
> Subject: [Rails] Re: Lost session with file upload - resolved
>
> > Hi Long,
> > this is my personal experience, even if you don''t put
_session_id in
> > any of your form, still the _session_id will be sent as part of each
> > request
> > which is stored in the browser side cookies, and these values are of
> > 32-character length, and randomly generated by rails for each success-
> > full
> > authorization and they will be used for serialization of
"session"
> > attribute of action_controller under the directory
"tmp/sessions/".
> > This folder contains "ruby-session-#{_session_id}" files
which will be
> > red at each request and de-serialized to populate session hash.
> > So, since you hard-coded the value of _session_id in your form it
> > always goto that file which contains this value as part of file name,
> > which obviously
> > takes you to a different session than what you usually expect.
>
> > On Sep 1, 4:36 am, "Long"
<long...-bJEeYj9oJeDQT0dZR+AlfA@public.gmane.org> wrote:
> > > Well, I tried a few more things and found the culprit:
>
> > > <input name="_session_id" type="hidden"
value="f1d1e1d3d6378fdaf05e9dad87c168cf" />
>
> > > I removed the above line and the file upload work as expected
(well almost). It seems there is
> > > something quirky with enctype= and _session_id processing.
>
> > > Bug: params[:photo][:original_filename] should be 
params[:photo].original_filename
>
> > > Hope this will be useful to some for reference.
>
> > > Cheers,
>
> > > -- Long
>
> > > ----- Original Message -----
> > > From: "Long"
<long...-bJEeYj9oJeDQT0dZR+AlfA@public.gmane.org>
> > > To:
<rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org>
> > > Sent: Friday, August 31, 2007 12:04 AM
> > > Subject: [Rails] Lost session with file upload
>
> > > > I''ve search this group for reports of this problem
but didn''t find anything useful.
>
> > > > I am doing the following with plain vanilla Rails 1.1.6
running WEBrick.
>
> > > > View:
> > > > <form action="/home/post_photo"
method="POST" enctype="multipart/form-data">
> > > > <p>Upload photo<br />
> > > > <input id="_photo" name="photo"
type="file" /><br />
> > > > <input name="commit" type="submit"
value="Upload" /></p>
> > > > <input name="obj_id" type="hidden"
value="2" />
> > > > <input name="_session_id"
type="hidden" value="f1d1e1d3d6378fdaf05e9dad87c168cf" />
> > > > </form>
>
> > > > Controller:
> > > > def post_photo
> > > >   session[:photo_original_filename] =
params[:photo][:original_filename]
> > > >   redirect_to :controller => ''home'',
:action => ''index''
> > > > end
>
> > > > Problem:
> > > > I login with a user account and have access to all
member-only pages.
> > > > Then I access the file upload view, select a local file and
press the [Upload] button.
> > > > I was supposed to be redirected to /home/index where
session[:photo_original_filename] is
> > > displayed.
> > > > However I was redirected to the Login page instead. This was
because my authenticate user
> filter
> > > had
> > > > failed when it shouldn''t.
>
> > > > I figure the session may have changed so I recorded the
session_id before and after [Upload]
> > > button
> > > > was pressed. They were indeed different.
>
> > > > Next, I remove the enctype="multipart/form-data"
part from the form declaration. I perform the
> > > steps
> > > > again and was redirected /home/index, as expected (with my
current session remained in tact).
>
> > > > So, I don''t know what the problem is and do hope
someone could provide some insight.
>
> > > > Much appreciated,
>
> > > > -- Long

--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Talk" group.
To post to this group, send email to
rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
To unsubscribe from this group, send email to
rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
For more options, visit this group at
http://groups.google.com/group/rubyonrails-talk?hl=en
-~----------~----~----~----~------~----~------~--~---

Hi,

Sorry I should have written ''Generated View'' instead since it
was copied from my Browser using view
source.

I agree with your point, for browsers with default settings (cookies enabled).
However, I don''t
think we can (should) trust browsers to pass cookies in all cases. That was my
reason for including
the session id in a hidden field. It works fine for regular forms on browsers
with and without
cookies support, and not just with Rails.

I believe this is a Rails bug (at least in 1.1.6) and hope someone from Rails
Core can use what I''ve
document here to investigate further.

Regards,

-- Long


----- Original Message ----- 
From: "raghukumar"
<raghukumar.rags-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
To: "Ruby on Rails: Talk"
<rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org>
Sent: Saturday, September 01, 2007 9:30 AM
Subject: [Rails] Re: Lost session with file upload - resolved

>
> Hi Long,
> this is my personal experience, even if you don''t put _session_id
in
> any of your form, still the _session_id will be sent as part of each
> request
> which is stored in the browser side cookies, and these values are of
> 32-character length, and randomly generated by rails for each success-
> full
> authorization and they will be used for serialization of
"session"
> attribute of action_controller under the directory
"tmp/sessions/".
> This folder contains "ruby-session-#{_session_id}" files which
will be
> red at each request and de-serialized to populate session hash.
> So, since you hard-coded the value of _session_id in your form it
> always goto that file which contains this value as part of file name,
> which obviously
> takes you to a different session than what you usually expect.
>
>
>
> On Sep 1, 4:36 am, "Long"
<long...-bJEeYj9oJeDQT0dZR+AlfA@public.gmane.org> wrote:
> > Well, I tried a few more things and found the culprit:
> >
> > <input name="_session_id" type="hidden"
value="f1d1e1d3d6378fdaf05e9dad87c168cf" />
> >
> > I removed the above line and the file upload work as expected (well
almost). It seems there is
> > something quirky with enctype= and _session_id processing.
> >
> > Bug: params[:photo][:original_filename] should be 
params[:photo].original_filename
> >
> > Hope this will be useful to some for reference.
> >
> > Cheers,
> >
> > -- Long
> >
> >
> >
> > ----- Original Message -----
> > From: "Long"
<long...-bJEeYj9oJeDQT0dZR+AlfA@public.gmane.org>
> > To: <rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org>
> > Sent: Friday, August 31, 2007 12:04 AM
> > Subject: [Rails] Lost session with file upload
> >
> > > I''ve search this group for reports of this problem but
didn''t find anything useful.
> >
> > > I am doing the following with plain vanilla Rails 1.1.6 running
WEBrick.
> >
> > > View:
> > > <form action="/home/post_photo"
method="POST" enctype="multipart/form-data">
> > > <p>Upload photo<br />
> > > <input id="_photo" name="photo"
type="file" /><br />
> > > <input name="commit" type="submit"
value="Upload" /></p>
> > > <input name="obj_id" type="hidden"
value="2" />
> > > <input name="_session_id" type="hidden"
value="f1d1e1d3d6378fdaf05e9dad87c168cf" />
> > > </form>
> >
> > > Controller:
> > > def post_photo
> > >   session[:photo_original_filename] =
params[:photo][:original_filename]
> > >   redirect_to :controller => ''home'', :action
=> ''index''
> > > end
> >
> > > Problem:
> > > I login with a user account and have access to all member-only
pages.
> > > Then I access the file upload view, select a local file and press
the [Upload] button.
> > > I was supposed to be redirected to /home/index where
session[:photo_original_filename] is
> > displayed.
> > > However I was redirected to the Login page instead. This was
because my authenticate user
filter
> > had
> > > failed when it shouldn''t.
> >
> > > I figure the session may have changed so I recorded the
session_id before and after [Upload]
> > button
> > > was pressed. They were indeed different.
> >
> > > Next, I remove the enctype="multipart/form-data" part
from the form declaration. I perform the
> > steps
> > > again and was redirected /home/index, as expected (with my
current session remained in tact).
> >
> > > So, I don''t know what the problem is and do hope someone
could provide some insight.
> >
> > > Much appreciated,
> >
> > > -- Long
>

--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Talk" group.
To post to this group, send email to
rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
To unsubscribe from this group, send email to
rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
For more options, visit this group at
http://groups.google.com/group/rubyonrails-talk?hl=en
-~----------~----~----~----~------~----~------~--~---

Sure, if there is a will there is a way... ;-)

http://edgesoft.ca/blog/read/2 - No-Cookie Session Support plugin

-- Long

----- Original Message ----- 
From: <rein.henrichs-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
To: "Ruby on Rails: Talk"
<rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org>
Sent: Saturday, September 01, 2007 1:22 PM
Subject: [Rails] Re: Lost session with file upload - resolved

>
> If the user agent disables cookies, there''s not much point to
trying
> to use session, is there?
>
> Rein
>
> On Sep 1, 2:17 pm, "Long"
<long...-bJEeYj9oJeDQT0dZR+AlfA@public.gmane.org> wrote:
> > Hi,
> >
> > Sorry I should have written ''Generated View'' instead
since it was copied from my Browser using
view
> > source.
> >
> > I agree with your point, for browsers with default settings (cookies
enabled). However, I don''t
> > think we can (should) trust browsers to pass cookies in all cases.
That was my reason for
including
> > the session id in a hidden field. It works fine for regular forms on
browsers with and without
> > cookies support, and not just with Rails.
> >
> > I believe this is a Rails bug (at least in 1.1.6) and hope someone
from Rails Core can use what
I''ve
> > document here to investigate further.
> >
> > Regards,
> >
> > -- Long
> >
> >
> >
> > ----- Original Message -----
> > From: "raghukumar"
<raghukumar.r...-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
> > To: "Ruby on Rails: Talk"
<rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org>
> > Sent: Saturday, September 01, 2007 9:30 AM
> > Subject: [Rails] Re: Lost session with file upload - resolved
> >
> > > Hi Long,
> > > this is my personal experience, even if you don''t put
_session_id in
> > > any of your form, still the _session_id will be sent as part of
each
> > > request
> > > which is stored in the browser side cookies, and these values are
of
> > > 32-character length, and randomly generated by rails for each
success-
> > > full
> > > authorization and they will be used for serialization of
"session"
> > > attribute of action_controller under the directory
"tmp/sessions/".
> > > This folder contains "ruby-session-#{_session_id}"
files which will be
> > > red at each request and de-serialized to populate session hash.
> > > So, since you hard-coded the value of _session_id in your form it
> > > always goto that file which contains this value as part of file
name,
> > > which obviously
> > > takes you to a different session than what you usually expect.
> >
> > > On Sep 1, 4:36 am, "Long"
<long...-bJEeYj9oJeDQT0dZR+AlfA@public.gmane.org> wrote:
> > > > Well, I tried a few more things and found the culprit:
> >
> > > > <input name="_session_id"
type="hidden" value="f1d1e1d3d6378fdaf05e9dad87c168cf" />
> >
> > > > I removed the above line and the file upload work as
expected (well almost). It seems there
is
> > > > something quirky with enctype= and _session_id processing.
> >
> > > > Bug: params[:photo][:original_filename] should be 
params[:photo].original_filename
> >
> > > > Hope this will be useful to some for reference.
> >
> > > > Cheers,
> >
> > > > -- Long
> >
> > > > ----- Original Message -----
> > > > From: "Long"
<long...-bJEeYj9oJeDQT0dZR+AlfA@public.gmane.org>
> > > > To:
<rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org>
> > > > Sent: Friday, August 31, 2007 12:04 AM
> > > > Subject: [Rails] Lost session with file upload
> >
> > > > > I''ve search this group for reports of this
problem but didn''t find anything useful.
> >
> > > > > I am doing the following with plain vanilla Rails 1.1.6
running WEBrick.
> >
> > > > > View:
> > > > > <form action="/home/post_photo"
method="POST" enctype="multipart/form-data">
> > > > > <p>Upload photo<br />
> > > > > <input id="_photo" name="photo"
type="file" /><br />
> > > > > <input name="commit"
type="submit" value="Upload" /></p>
> > > > > <input name="obj_id"
type="hidden" value="2" />
> > > > > <input name="_session_id"
type="hidden" value="f1d1e1d3d6378fdaf05e9dad87c168cf" />
> > > > > </form>
> >
> > > > > Controller:
> > > > > def post_photo
> > > > >   session[:photo_original_filename] =
params[:photo][:original_filename]
> > > > >   redirect_to :controller =>
''home'', :action => ''index''
> > > > > end
> >
> > > > > Problem:
> > > > > I login with a user account and have access to all
member-only pages.
> > > > > Then I access the file upload view, select a local file
and press the [Upload] button.
> > > > > I was supposed to be redirected to /home/index where
session[:photo_original_filename] is
> > > > displayed.
> > > > > However I was redirected to the Login page instead.
This was because my authenticate user
> > filter
> > > > had
> > > > > failed when it shouldn''t.
> >
> > > > > I figure the session may have changed so I recorded the
session_id before and after
[Upload]
> > > > button
> > > > > was pressed. They were indeed different.
> >
> > > > > Next, I remove the
enctype="multipart/form-data" part from the form declaration. I
perform
the
> > > > steps
> > > > > again and was redirected /home/index, as expected (with
my current session remained in
tact).
> >
> > > > > So, I don''t know what the problem is and do
hope someone could provide some insight.
> >
> > > > > Much appreciated,
> >
> > > > > -- Long
>
>
> >

--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Talk" group.
To post to this group, send email to
rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
To unsubscribe from this group, send email to
rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
For more options, visit this group at
http://groups.google.com/group/rubyonrails-talk?hl=en
-~----------~----~----~----~------~----~------~--~---