Lost session with file upload

I've search this group for reports of this problem but didn't find anything useful.

I am doing the following with plain vanilla Rails 1.1.6 running WEBrick.

View:
<form action="/home/post_photo" method="POST" enctype="multipart/form-data">
<p>Upload photo<br />
<input id="_photo" name="photo" type="file" /><br />
<input name="commit" type="submit" value="Upload" /></p>
<input name="obj_id" type="hidden" value="2" />
<input name="_session_id" type="hidden" value="f1d1e1d3d6378fdaf05e9dad87c168cf" />
</form>

Controller:
def post_photo
  session[:photo_original_filename] = params[:photo][:original_filename]
  redirect_to :controller => 'home', :action => 'index'
end

Problem:
I login with a user account and have access to all member-only pages.
Then I access the file upload view, select a local file and press the [Upload] button.
I was supposed to be redirected to /home/index where session[:photo_original_filename] is displayed.
However I was redirected to the Login page instead. This was because my authenticate user filter had
failed when it shouldn't.

I figure the session may have changed so I recorded the session_id before and after [Upload] button
was pressed. They were indeed different.

Next, I remove the enctype="multipart/form-data" part from the form declaration. I perform the steps
again and was redirected /home/index, as expected (with my current session remained in tact).

So, I don't know what the problem is and do hope someone could provide some insight.

Much appreciated,

-- Long

Well, I tried a few more things and found the culprit:

<input name="_session_id" type="hidden" value="f1d1e1d3d6378fdaf05e9dad87c168cf" />

I removed the above line and the file upload work as expected (well almost). It seems there is
something quirky with enctype= and _session_id processing.

Bug: params[:photo][:original_filename] should be params[:photo].original_filename

Hope this will be useful to some for reference.

Cheers,

-- Long

Hi Long,
this is my personal experience, even if you don't put _session_id in
any of your form, still the _session_id will be sent as part of each
request
which is stored in the browser side cookies, and these values are of
32-character length, and randomly generated by rails for each success-
full
authorization and they will be used for serialization of "session"
attribute of action_controller under the directory "tmp/sessions/".
This folder contains "ruby-session-#{_session_id}" files which will be
red at each request and de-serialized to populate session hash.
So, since you hard-coded the value of _session_id in your form it
always goto that file which contains this value as part of file name,
which obviously
takes you to a different session than what you usually expect.

Hi,

Sorry I should have written 'Generated View' instead since it was copied from my Browser using view
source.

I agree with your point, for browsers with default settings (cookies enabled). However, I don't
think we can (should) trust browsers to pass cookies in all cases. That was my reason for including
the session id in a hidden field. It works fine for regular forms on browsers with and without
cookies support, and not just with Rails.

I believe this is a Rails bug (at least in 1.1.6) and hope someone from Rails Core can use what I've
document here to investigate further.

Regards,

-- Long

If the user agent disables cookies, there's not much point to trying
to use session, is there?

Rein

Sure, if there is a will there is a way... :wink:

http://edgesoft.ca/blog/read/2 - No-Cookie Session Support plugin

-- Long