Rails 2.3.9 breaks sessions with Active Record or Memcache store

A Rails 2.3.9 app with Active Record or Memcache session store will never send the session ID cookie to a client if the client doesn’t send any HTTP cookies in its requests. Rails integration tests didn’t catch this because they always send the HTTP_COOKIE header, even if it’s empty.

This is a huge bug, as it can break keeping sessions on sites which don’t set any additional cookies for its visitors. Visitors without existing cookies will not be able to log in, for example (this is how I discovered the bug).

Lighthouse ticket and fix is here.

An unobtrusive monkeypatch for existing apps can also be found on the ticket.

Thanks for catching that. will get someone to apply that asap. :frowning:

You are absolutely right! I just wanted to post this error right now... My simple session login doesn't work anymore due to rails 2.3.9 :frowning: