#383 new
Shannon -jj Behrens

reset_session and Webrat don't play nicely with one another

Reported by Shannon -jj Behrens | June 10th, 2010 @ 06:02 PM

All the Rails security guides say that you should call reset_session after the user logs in or logs out. This clears out the session and forces a new session ID to be created. It seems there have been a few Rails bugs related to reset_session over the years. However, I'm now worried that there's a conflict somewhere related to Rails' testing infrastructure and/or Webrat.

In my login action, I call reset_session and then put a nice message in flash. When I actually use the website, I can see (via Firefox) that I'm getting a new session ID, and I can see my flash message. However, when I write tests for those two things, the flash message gets lost, and I don't get a new session ID in my cookies. It's almost as if the new session is being ignored, and the old session is being used.

I'm sorry, but I can't tell exactly where the problem is. I know that there's special Rails code that handles session cookies when you're doing integration testing.

actionpack-2.3.8
webrat-0.7.1

If this is the wrong place to file the bug, please tell me the right place. Thanks!

Comments and changes to this ticket

  • Dan Croak

    Dan Croak June 21st, 2010 @ 02:54 PM

    I've seeing the same behavior of disappearing flash messages only:

    • on Rails 2.3.8
    • on Rack 1.1.0
    • on Webrat 0.7.0 and 0.7.1
    • in the Cucumber environment (display correctly in development/other environments)
    • in the view (set correctly in the controller)
  • Dan Croak

    Dan Croak June 21st, 2010 @ 04:22 PM

    Oh, one other thing: I'm not calling reset_session anywhere. Just normally assigning the flash and redirecting.

  • Tom Ward

    Tom Ward July 7th, 2010 @ 06:54 AM

    • Milestone order changed from “0” to “0”

    I'm getting the same issue as Dan with the same environment (Rails 2.3.8, Rack 1.1.0). It looks as though the flash message is one request behind where it should be in some cases (but not always). The code works fine in production, and the tests passed using Rails 2.3.5

  • Dan Croak

    Dan Croak July 7th, 2010 @ 10:51 AM

    This was an issue in Rails, now fixed but not in a released version yet:

    http://github.com/rails/rails/commit/85b6d79d8a17fdef667770e31b44ac...

    In the meantime, you can add this to config/environments/cucumber.rb and be okay:

    class RackRailsCookieHeaderHack
      def initialize(app)
        @app = app
      end
    
      def call(env)
        status, headers, body = @app.call(env)
        if headers['Set-Cookie'] && headers['Set-Cookie'].respond_to?(:collect!)
          headers['Set-Cookie'].collect! { |h| h.strip }
        end
        [status, headers, body]
      end
    end
    
    config.after_initialize do
      ActionController::Dispatcher.middleware.insert_before(ActionController::Base.session_store, RackRailsCookieHeaderHack)
    end
    
  • Gravis

    Gravis October 12th, 2010 @ 05:02 PM

    Still having the issue here, even with the hack provided by Dan Croak. It was working on rails 2.3.8, but not on rails 2.3.9:

    a header value must be a String, but the value of 'Set-Cookie' is a Array (Rack::Lint::LintError)
    ./features/step_definitions/web_steps.rb:20:in `/^(?:|I )go to (.+)$/'
    

    This occurs when I visit the signout page before doing anything, so I guess it's calling reset_session somewhere in there.

  • Christoph Olszowka

    Christoph Olszowka November 3rd, 2010 @ 02:12 PM

    I ran into a similar issue with Rails 2.3.10 integration tests after inserting a Sinatra app as middleware. The fix by Dan didn't quite work out, but for me, a slightly modified version did the job:

    class RackRailsCookieHeaderHack
      def initialize(app)
        @app = app
      end
    
      def call(env)
        status, headers, body = @app.call(env)
        headers['Set-Cookie'] = headers['Set-Cookie'].first
        [status, headers, body]
      end
    end
    
    config.after_initialize do
      ActionController::Dispatcher.middleware.insert_before(ActionController::Base.session_store, RackRailsCookieHeaderHack)
    end
    
  • Christoph Olszowka

    Christoph Olszowka November 3rd, 2010 @ 02:18 PM

    Also, this discussion at the Rails github repo seems to be related to this problem - obviously Rails cookie handling is kind of a mess...

  • Gravis

    Gravis November 12th, 2010 @ 10:45 AM

    thanks Christoph, that maid it for now :)

  • Bianca Winn

    Bianca Winn October 27th, 2021 @ 09:49 AM

    The number of jobs is sometimes just shocking because we are students, not work, so I use this site https://getlink2020.blogspot.com/2021/07/essay-writing-service-2021... of assistants, which does any written work to order quickly and efficiently.

Please Sign in or create a free account to add a new ticket.

With your very own profile, you can contribute to projects, track your activity, watch tickets, receive and update tickets through your email and much more.

New-ticket Create new ticket

Create your profile

Help contribute to this project by taking a few moments to create your personal profile. Create your profile ยป

Ruby Acceptance Testing for Web applications.

Shared Ticket Bins

People watching this ticket

Pages