Rails 2.3.9 breaks sessions with Active Record or Memcache store

Mislav · September 8, 2010, 2:01pm

A Rails 2.3.9 app with Active Record or Memcache session store will never send the session ID cookie to a client if the client doesn’t send any HTTP cookies in its requests. Rails integration tests didn’t catch this because they always send the HTTP_COOKIE header, even if it’s empty.

This is a huge bug, as it can break keeping sessions on sites which don’t set any additional cookies for its visitors. Visitors without existing cookies will not be able to log in, for example (this is how I discovered the bug).

Lighthouse ticket and fix is here.

An unobtrusive monkeypatch for existing apps can also be found on the ticket.

sikachu · September 8, 2010, 2:02pm

Thanks for catching that. will get someone to apply that asap.

Bijan · September 26, 2010, 12:30am

You are absolutely right! I just wanted to post this error right now... My simple session login doesn't work anymore due to rails 2.3.9

Topic		Replies	Views
Session confusion using mem_cache_store? rubyonrails-talk	0	209	April 16, 2010
dissabling cookies in webrick rubyonrails-talk	1	85	April 22, 2008
Switching to ActiveRecord Session Store rubyonrails-talk	1	144	February 19, 2009
Problem with cookie in IE rubyonrails-talk	9	226	October 3, 2009
active_record_store for cookies? rubyonrails-talk	0	132	January 29, 2009

Rails 2.3.9 breaks sessions with Active Record or Memcache store

Related topics

More Resources