reset_session breaks indifferent access

[iblue]

Hi.

I am running rails 3.2.7. When I run reset_session, it kills indifferent access.

def some_action
  session[:foo] = "bar"
  session.class # => Rack::Session::Abstract::SessionHash
  if session["foo"] == "bar" 
    puts "Everything ok until now".
  end

  reset_session # Deletes the session in the database, creates a new session id

  session[:foo] = "bar"
  session.class # => Hash
  if session["foo"] .nil?
    puts "Now it's broken"
  end
end

[steveklabnik]

I'm not sure if this is intended behavior or not, but I'm pretty sure it's insane either way. ;)

[reinh]

I'm pretty sure that reset_session should not change the type of session. +1

[steveklabnik]

Yeah, I mean, don't get me wrong, I'm 👍, but relying on this behavior seems dangerous.

[reinh]

I mean, in 7 years of Rails development I have never used reset_session in production code. But I still want it to work properly ;)

[steveklabnik]

Agreed. @pixeltrix also pointed out a case where it can be legitimately useful: https://twitter.com/pixeltrix/statuses/240879855930048512

[jeffshantz]

See section 2.8 in the Ruby on Rails Security Guide: http://guides.rubyonrails.org/security.html. You probably should be using reset_session. :)

[jeffshantz]

Confirmed in 3.2.8.

  def index
    session[:foo] = "bar"
    str = "Before: class = #{session.class}; foo = #{session["foo"]}<br>"

    reset_session

    # Re-adding :foo = bar to session
    session[:foo] = "bar"
    str += "After: class = #{session.class}; foo = #{session["foo"]}"   # Attempting to print it using "foo" instead of :foo

    render text: str
  end

produces:

Before: class = Rack::Session::Abstract::SessionHash; foo = bar
After: class = Hash; foo =

[jeffshantz]

Of course, upon reloading the page, the session hash is once again a Rack::Session::Abstract::SessionHash.

[iblue]

Yes, but the problem is persistent after reloading the page. If I save {:foo => "bar"} in a Rack::Session::Abstract::SessionHash will be dumped to the database as {"foo" => "bar"}. When I load this an a Rack::Session::Abstract::SessionHash, indifferent access works. But when I save {:foo => "bar"} when it's a Hash, it will be saved as {:foo => "bar"} (symbols instead of strings). After reloading the page, I can access it with session[:foo], but not with session["foo"].

I will give you an example. This is what we did, and it breaks stuff on our testing machine. It took us some time to figure out what was going wrong. At least we noticed, before these changed went into production.

class UserController < FrontendController
  def login
    if @user = User.authenticate(params[:email], params[:password])
      reset_session # Security!
      session[:user_id] = @user.id
      redirect_to mordor_path, :notice => "Welcome to mordor"
    else
      flash[:notice] = "One does not simply walk into mordor"
      render :login
    end
  end
end

class User < Sequel::Model
  # All sessions of this user - Yes, I know, it does not scale.
  #
  # BUG: When reset_session is used, will always return zero sessions.
  def sessions
    Rails::SessionStore.session_class.all.select do |session|
      session.data["user_id"] == self.id
    end
  end

  def force_logout!
    sessions.each do |session|
      Notification.new(:logout).send_to(session.id) # Notify the mobile devices.
      session.destroy
    end
  end
end