Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Rack::Session::Cookie no longer round-trips with JSON coder #1666

matsadler opened this issue May 28, 2020 · 1 comment · Fixed by #1667

Rack::Session::Cookie no longer round-trips with JSON coder #1666

matsadler opened this issue May 28, 2020 · 1 comment · Fixed by #1667


Copy link

I'm upgrading an application currently using Rack 1.6.11 to the latest Rack 2.2.2. I'm running in to an issue with Rack::Session::Cookie configured with coder:

       undefined method `public_id' for #<String:0x00007f868b8594e0>
       Did you mean?  public_send
# ./.bundle/gems/rack-2.2.2/lib/rack/session/abstract/id.rb:458:in `[]'

I've reduced this down to:

require "rack"
# Rack::Session::Cookie needs this but doesn't require it?
require "delegate"

# our app
app = do |env|
  # write something to the session to create the cookie on first call
  env["rack.session"]["foo"] = "bar"
  # read session ID to trigger bug on second call
  [200, {}, ["ok"]]

# wrap app in cookie session middleware, with json coder
wrapped =,
  secret: "foo",

# first call to get a cookie
env = {}
status, headers, body =
cookie = headers["Set-Cookie"].split(";").first

# trigger the bug
env = {"HTTP_COOKIE" => cookie}

This worked fine with 1.6.11 (and presumably before, although I haven't tested), and with 2.0.1 through 2.0.7.

1.6.12 and 1.6.13 fail because the json library used (OkJson) refuses to encode Rack::Session::SessionId.
2.0.8 fails with RuntimeError and no message.
2.0.9 is the start of the NoMethodError: undefined method 'public_id' error.

Copy link

I agree that this is a bug. I have a local fix for it, now just need to add a test and then I'll submit a pull request.

jeremyevans added a commit to jeremyevans/rack that referenced this issue May 28, 2020

This is an issue because SessionId doesn't round trip through JSON.
However, it probably has the same security issue as before SessionId
was introduced.

It may be better to eliminate the session id completely for cookie
sessions, since there is no reason cookie sessions need an id (an
id is only needed for memcache/memory/database sessions).

Fixes rack#1666
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
None yet
None yet
2 participants