active_record_store doesn't set default cookie for session id

[coldnebo]

In Rails 3.2.12 & 3.2.13 Ubuntu 12.04 LTS, webrick and passenger standalone.

This is a very odd problem.

SETUP:

• first, create a new rails app from scratch
• add some simple actions to write and read session [test app step1]
• switch session_store from cookie_store to active_record_store. [test app step2]

Problem:

• session gets reset every request. (no session cookie is written)

Solution:

• adding active_record_store, key: '_session' ensures session id cookie is written [test app step3]

Question:

• but active_record_store seems to use a default of '_session_id' under CentOS/Apache/Passenger without having to specify the key e.g. [test app step2]? Why would the web server make a difference?

More details:

Here's an example Rails app with git history illustrating the problem: no _session_id cookie is being written unless active_record_store explicitly sets key: '_session_id'.

I worked out the solution by reading the existing Rails doc more closely.

However, the solution is apparently unnecessary when deployed to other servers setup with CentOS/Apache/Passenger; they produced _session_id cookies without issue (which is very odd). I'm curious.

My dev environment is webrick under Ubuntu 12.04.2 LTS. Initially I thought that maybe it was a difference between MySQL and sqlite3, but testing this toy app under both doesn't make a difference, same behavior.

I then thought that something might be different in webrick, so I ran in passenger standalone, same issue.

I then tried tracing through the rails code that controls session. I was able to verify that my session was not getting dropped... instead every single request, rails couldn't find the session id in the cookie and so it created a new session, wrote to it and lost it. My database was full of orphaned session writes to confirm this was occuring.

Then I checked the client browser and saw that when I cleared all cookies, indeed, no new cookies were being written. I can understand key: being required, but as I said earlier, this seems to work under CentOS/Apache/Passenger -- I suppose it's possible that some kind of rack modification or some other layer is 'owning' the creation of the session_id cookie in that environment, thus masking the true error in my Rails config... but I'm not sure that's the problem.

Code-wise, I'm still not sure how the sid gets from the session_id cookie to the code that attempts to read the session -- the code was too gnarly for me to trace that part. Maybe someone in core can explain?

I checked the existing rails tests for session cookies, including active_record_store and they look almost exactly like my test case, but they pass. So I'm at a loss where the actual problem is.

Feel free to pull down the repo and revert the last commit and see if it happens for you.

I also tried this with rails 3.2.13 and got the same results.

Any ideas?

[rafaelfranca]

This issue has been automatically marked as stale because it has not been commented on for at least
three months.

The resources of the Rails team are limited, and so we are asking for your help.

If you can still reproduce this error on the 4-1-stable, 4-0-stable branches or on master,
please reply with all of the information you have about it in order to keep the issue open.

Thank you for all your contributions.

[coldnebo]

In the process of testing #12601 on EdgeRails 4.2.0.alpha, I noticed that the _session_id cookie is being written out by default now even when

Rails.application.config.session_store :active_record_store

is set in config/initializers/session_store.rb.

So this appears to be fixed as well. Thanks!