Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Already on GitHub? Sign in to your account

Unmatched Session Secret Error #299

mutewinter opened this Issue Dec 30, 2011 · 8 comments


None yet
6 participants

Upon switching to Rack 1.4.0 I get the following error when the session secret doesn't match a user's already generated cookie.

TypeError at /
can't convert nil into String
file: cookie.rb location: hexdigest line: 152

The error is caused when the browser's cookie was generated with a different session secret. The error appears to have been introduced in this commit.

This problem will be run into anyone who is using Sintra's enable :sessions feature, which generates a new session secret every time the app runs. Reverting to Rack 1.3.6 fixes this issue. Another fix is to set the session secret and never use enable :sessions in Sinatra.


lsiden commented Jan 2, 2012

Another fix is to set the session secret and never use enable :sessions in Sinatra.

What are your using instead? Could you give an example of this?

I'm using the manual invocation of Rack::Session::Cookie as shown in Sinatra's FAQ.

use Rack::Session::Cookie, :key => 'rack.session',
                           :domain => 'foo.com',
                           :path => '/',
                           :expire_after => 2592000, # In seconds
                           :secret => 'change_me'

The important thing is that the client's key never mismatch, otherwise the above error occurs and can only be fixed by erasing the cookies on the client.


lsiden commented Jan 3, 2012

This seems to be virtually the same thing that enable :sessions does.

See https://github.com/sinatra/sinatra/blob/master/lib/sinatra/base.rb#L1399

In any case, using Rack::Session::Cookie breaks my app.

#enable :sessions
use Rack::Session::Cookie, :secret => 'secret'#, :expire_after => 3600 * 24 # In seconds

The session always appears to be empty.

Fortunately, enable :sessions with Rack 1.3.6 still works as you already noted. :)

I believe the problem comes in with enable :sessions when they generate the session for every app load using SecureRandom. This means that every launch of the app has a different session_secret, which causes the mismatch error.


lsiden commented Jan 4, 2012

@mutewinter Jeremy, I tried this (but without setting :domain, as per http://stackoverflow.com/a/5177116/270511), but upon each new request, the session hash now contains only the key session_id upon each new response, regardless of what my app inserted into it before. In other words, think it creates a new session hash upon each request, despite the cookie and key being visible in my browser debugger.

I'll try to create a simple test-case I can post if you want to see for yourself. I'm probably just doing something wrong. I've been known to do that before! ;)

artemave commented Jan 4, 2012

+1 also bumped into this.

Zapotek commented Jan 6, 2012


@raggi raggi closed this in 08e0eb0 Jan 7, 2012

The pull request for this bug has solved my specific issue outlined in comments of 223.


Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment