Handing request.session in Rack Middleware ...

I have been experimenting with providing API for my own Rails 3 app and I implemented the OAuth-provider. With OAuth-provider, access_token is the king. Now, my idea is my users will invoke the API like:

GET requests (e.g. for listing the instances of a “Comment” resource) – curl ‘

POST requests (e.g. posting a form for creating a new comment) – curl -F “text=incredible article!” -F “access_token=4fcdab32-3777-4fc0-85fd-71f4ef5c7986” -F “article_id=1”

(All the requests are on SSL in production).

I implemented the Rack middleware as: https://gist.github.com/2582579 – basically, it looks at the request and sets the associated user_id in the session if the request has valid access_token.

It works well for GET requests, but fails for POST request. The session I modified in the Middleware is simply not available in ApplicationController in the same request!

I have made sure that

use ActionDispatch::Session::CookieStore appears “before” my Rack Middleware.

What confuses me is it works for GET requests and not for POST requests.

Does this make sense?

Any idea what I may be doing wrong? (Almost about to give up on Rack and resorting to before_filter …)