I have a 2.0.2 app that I'm developing locally using Mongrel. I'm using
active_record_store for sessions and have uncommented the secret in the
protect_from_forgery call. Everything works fine locally.
I uploaded the app to my server yesterday so I could show some progress
to a client. The server is running LiteSpeed Standard 3.3.11. The app
works correctly in Firefox, but not in Safari (3.1.1 Mac). I tracked the
problem down to the session_id cookie not being created in Safari, so a
new session is created on every server hit and I get blasted with
InvalidAuthenticityToken errors.
Since I have cookies enabled in Safari (it's my primary browser), my
first thought was LiteSpeed is not writing cookies to Safari correctly,
if that's even reasonable. To test that theory, I launched another
application that I have had on that server for many months and has been
working fine. But to be thorough, I made sure it wrote a cookie
correctly. The odd thing is that it's a Rails 1.2.3 application, but is
using the cookie session store. Since cookies work correctly in the
1.2.3 app but not in the 2.0.2 app, I'm inclined to think this is a
Rails problem and not a LiteSpeed one.
Has anyone else experienced this? I have not yet been able to find any
related posts via this forum or Google, but I might not have hit on the
right search term combination yet.
Any help or direction will be very much appreciated.
After analyzing packets with tcpdump and comparing Firefox and Safari
hitting LiteSpeed, Mongrel, and Apache, I discovered the problem on a
whim.
Underscores in the hostname.
Yes, you read that correctly. Apparently Safari 3.1.1 will not write a
session cookie if there are underscores in the hostname. My original
dilemma was with the URL
sports_dev.livingdoor.net
and the working site on the same server was
vsiep.livingdoor.net
I set up a more controlled test with new applications (in both Rails
1.2.6 and 2.0.2) and the urls were
This is from the Uniform Resource Identifier (URI): Generic Syntax
2.3. Unreserved Characters
Characters that are allowed in a URI but do not have a reserved
purpose are called unreserved. These include uppercase and
lowercase
letters, decimal digits, hyphen, period, underscore, and tilde.
Through the years I have had numerous of issues using with clients
using underscore in their domain name. It's my recommendation to not
use underscore in your url.
Thanks to both of you for clarifying that. It's frustrating that
Firefox makes an allowance for the underscore. In my naivete, I assumed
that it was a bug in Safari and not a departure from the standards in
Firefox.
Could you let me know the bug # so I can follow up on it?
(I'm a Safari QA engineer, and every once in a while I mine this list
to see if all bugs are being tended to.)
On Thu, May 8, 2008 at 9:20 AM, Phillip Koebbe
It doesn't appear to be a bug after all. A couple of the more
knowledgeable readers of this list pointed out that the underscore is
not part of the standard, and therefore Safari is just being compliant.
It was my mistake, not Safari's.
Could you let me know the bug # so I can follow up on it?
(I'm a Safari QA engineer, and every once in a while I mine this list
to see if all bugs are being tended to.)
On Thu, May 8, 2008 at 9:20 AM, Phillip Koebbe
It doesn't appear to be a bug after all. A couple of the more
knowledgeable readers of this list pointed out that the underscore is
not part of the standard, and therefore Safari is just being compliant.
It was my mistake, not Safari's.
Peace,
Phillip
Seems like a bug to me. The standard says that underscores are not
valid in hostnames. By that logic your site would not work, or not be
accessible if it was using an underscore.
The fact that your site worked fine, but the browser would not accept
cookies for the domain is a bug for sure. It resulted in you having to
pull out a packet sniffer in order to figure it out. Anything that
causes that much frustration for developers is probably something the
Safari team wants to get ironed out.
The expected to behavior would be that that would either work 100%, or
it would not work at all. Not some confusing mix in the middle of
partially working functionality.
Seems like a bug to me. The standard says that underscores are not
valid in hostnames. By that logic your site would not work, or not be
accessible if it was using an underscore.
The fact that your site worked fine, but the browser would not accept
cookies for the domain is a bug for sure. It resulted in you having to
pull out a packet sniffer in order to figure it out. Anything that
causes that much frustration for developers is probably something the
Safari team wants to get ironed out.
The expected to behavior would be that that would either work 100%, or
it would not work at all. Not some confusing mix in the middle of
partially working functionality.
Ah, well, good points. In either case, I don't have a bug number. I used
the Report Bugs to Apple... option under the Safari menu.