Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Rack::Session::Cookie no longer round-trips with JSON coder #1666

Closed
matsadler opened this issue May 28, 2020 · 1 comment
Closed

Rack::Session::Cookie no longer round-trips with JSON coder #1666

matsadler opened this issue May 28, 2020 · 1 comment

Comments

@matsadler
Copy link

@matsadler matsadler commented May 28, 2020

I'm upgrading an application currently using Rack 1.6.11 to the latest Rack 2.2.2. I'm running in to an issue with Rack::Session::Cookie configured with coder: Rack::Session::Cookie::Base64::JSON.new:

NoMethodError:
       undefined method `public_id' for #<String:0x00007f868b8594e0>
       Did you mean?  public_send
# ./.bundle/gems/rack-2.2.2/lib/rack/session/abstract/id.rb:458:in `[]'

I've reduced this down to:

require "rack"
# Rack::Session::Cookie needs this but doesn't require it?
require "delegate"

# our app
app = Proc.new do |env|
  # write something to the session to create the cookie on first call
  env["rack.session"]["foo"] = "bar"
  # read session ID to trigger bug on second call
  env["rack.session"]["session_id"]
  [200, {}, ["ok"]]
end

# wrap app in cookie session middleware, with json coder
wrapped = Rack::Session::Cookie.new(app,
  secret: "foo",
  coder: Rack::Session::Cookie::Base64::JSON.new)

# first call to get a cookie
env = {}
status, headers, body = wrapped.call(env)
cookie = headers["Set-Cookie"].split(";").first

# trigger the bug
env = {"HTTP_COOKIE" => cookie}
wrapped.call(env)

This worked fine with 1.6.11 (and presumably before, although I haven't tested), and with 2.0.1 through 2.0.7.

1.6.12 and 1.6.13 fail because the json library used (OkJson) refuses to encode Rack::Session::SessionId.
2.0.8 fails with RuntimeError and no message.
2.0.9 is the start of the NoMethodError: undefined method 'public_id' error.

@jeremyevans
Copy link
Collaborator

@jeremyevans jeremyevans commented May 28, 2020

I agree that this is a bug. I have a local fix for it, now just need to add a test and then I'll submit a pull request.

jeremyevans added a commit to jeremyevans/rack that referenced this issue May 28, 2020
…se64::{JSON,Zip}

This is an issue because SessionId doesn't round trip through JSON.
However, it probably has the same security issue as before SessionId
was introduced.

It may be better to eliminate the session id completely for cookie
sessions, since there is no reason cookie sessions need an id (an
id is only needed for memcache/memory/database sessions).

Fixes rack#1666
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

2 participants
You can’t perform that action at this time.