Lost session with file upload

Long · August 31, 2007, 5:04am

I've search this group for reports of this problem but didn't find anything useful.

I am doing the following with plain vanilla Rails 1.1.6 running WEBrick.

View: <form action="/home/post_photo" method="POST" enctype="multipart/form-data"> <p>Upload photo<br /> <input id="_photo" name="photo" type="file" /><br /> <input name="commit" type="submit" value="Upload" /></p> <input name="obj_id" type="hidden" value="2" /> <input name="_session_id" type="hidden" value="f1d1e1d3d6378fdaf05e9dad87c168cf" /> </form>

Controller: def post_photo session[:photo_original_filename] = params[:photo][:original_filename] redirect_to :controller => 'home', :action => 'index' end

Problem: I login with a user account and have access to all member-only pages. Then I access the file upload view, select a local file and press the [Upload] button. I was supposed to be redirected to /home/index where session[:photo_original_filename] is displayed. However I was redirected to the Login page instead. This was because my authenticate user filter had failed when it shouldn't.

I figure the session may have changed so I recorded the session_id before and after [Upload] button was pressed. They were indeed different.

Next, I remove the enctype="multipart/form-data" part from the form declaration. I perform the steps again and was redirected /home/index, as expected (with my current session remained in tact).

So, I don't know what the problem is and do hope someone could provide some insight.

Much appreciated,

-- Long

Long · August 31, 2007, 11:36pm

Well, I tried a few more things and found the culprit:

I removed the above line and the file upload work as expected (well almost). It seems there is something quirky with enctype= and _session_id processing.

Bug: params[:photo][:original_filename] should be params[:photo].original_filename

Hope this will be useful to some for reference.

Cheers,

-- Long

raghukumar · September 1, 2007, 2:30pm

Hi Long, this is my personal experience, even if you don't put _session_id in any of your form, still the _session_id will be sent as part of each request which is stored in the browser side cookies, and these values are of 32-character length, and randomly generated by rails for each success- full authorization and they will be used for serialization of "session" attribute of action_controller under the directory "tmp/sessions/". This folder contains "ruby-session-#{_session_id}" files which will be red at each request and de-serialized to populate session hash. So, since you hard-coded the value of _session_id in your form it always goto that file which contains this value as part of file name, which obviously takes you to a different session than what you usually expect.

Long · September 1, 2007, 7:17pm

Hi,

Sorry I should have written 'Generated View' instead since it was copied from my Browser using view source.

I agree with your point, for browsers with default settings (cookies enabled). However, I don't think we can (should) trust browsers to pass cookies in all cases. That was my reason for including the session id in a hidden field. It works fine for regular forms on browsers with and without cookies support, and not just with Rails.

I believe this is a Rails bug (at least in 1.1.6) and hope someone from Rails Core can use what I've document here to investigate further.

Regards,

-- Long

Rein_Henrichs · September 1, 2007, 6:22pm

If the user agent disables cookies, there's not much point to trying to use session, is there?

Rein

Long · September 1, 2007, 9:29pm

Sure, if there is a will there is a way...

http://edgesoft.ca/blog/read/2 - No-Cookie Session Support plugin

-- Long