Problem:
I login with a user account and have access to all member-only pages.
Then I access the file upload view, select a local file and press the [Upload] button.
I was supposed to be redirected to /home/index where session[:photo_original_filename] is displayed.
However I was redirected to the Login page instead. This was because my authenticate user filter had
failed when it shouldn't.
I figure the session may have changed so I recorded the session_id before and after [Upload] button
was pressed. They were indeed different.
Next, I remove the enctype="multipart/form-data" part from the form declaration. I perform the steps
again and was redirected /home/index, as expected (with my current session remained in tact).
So, I don't know what the problem is and do hope someone could provide some insight.
I removed the above line and the file upload work as expected (well almost). It seems there is
something quirky with enctype= and _session_id processing.
Bug: params[:photo][:original_filename] should be params[:photo].original_filename
Hi Long,
this is my personal experience, even if you don't put _session_id in
any of your form, still the _session_id will be sent as part of each
request
which is stored in the browser side cookies, and these values are of
32-character length, and randomly generated by rails for each success-
full
authorization and they will be used for serialization of "session"
attribute of action_controller under the directory "tmp/sessions/".
This folder contains "ruby-session-#{_session_id}" files which will be
red at each request and de-serialized to populate session hash.
So, since you hard-coded the value of _session_id in your form it
always goto that file which contains this value as part of file name,
which obviously
takes you to a different session than what you usually expect.
Sorry I should have written 'Generated View' instead since it was copied from my Browser using view
source.
I agree with your point, for browsers with default settings (cookies enabled). However, I don't
think we can (should) trust browsers to pass cookies in all cases. That was my reason for including
the session id in a hidden field. It works fine for regular forms on browsers with and without
cookies support, and not just with Rails.
I believe this is a Rails bug (at least in 1.1.6) and hope someone from Rails Core can use what I've
document here to investigate further.