SessionStore does not write session if internals of session['flash'] are modified #30

devrandom1 opened this Issue Dec 7, 2011 · 4 comments


None yet
3 participants

SessionStore::Session.set_session gets the memorized session model instance from env, then updates session_data. However, session.dirty? is false even if the internals of the flash changed, because they were already modified by the flash object.

The fix seems to be to replace:

session = get_session_resource(env, sid)


session = find_session(sid)

to get a fresh copy.


I'm seeing the same thing. It seems like the real issue is that the data attribute isn't properly detecting that it is dirty.

I take that back. The active_record session store clears out env[SESSION_RECORD_KEY] and generates a new session id on #destroy_session. Changing the dm session_store to do the same fixes the issue for me:

def destroy_session(env, sid = nil, options = {})
    sid ||= current_session_id(env)
    env[SESSION_RECORD_KEY] = nil

tpitale commented Oct 22, 2012

+1 I'm still seeing this as an issue. Any chance of a fix, 9 months on?


tpitale commented Feb 7, 2016

This is unlikely to be fixed. We may even remove this implementation from the session store. Dirtiness is dependent on object id changing, but when you change the internals of a hash, it does not change, IIRC.

Will take a look again to confirm.

tpitale self-assigned this Feb 7, 2016

tpitale closed this Jul 29, 2016


tpitale commented Jul 29, 2016

This is definitely a dirtiness tracking issue for the internals of a hash. Unlikely to ever be fixed afaict. There are some hacks around tracking, but I don't think they apply well here.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment