Menu
I've been building something in Rails 4.0.0 and I'm getting weird session behaviour. I have a login process that writes a value to session. Its absence is how I determine the user is not logged in:
def login
session[:user_id] = user.id
#Then we render a simple page...
end
To verify that that I have a valid user, I have a helper in my application_controller.rb:
def current_user
logger.info "(current_user) Session ID: #{request.session[:user_id]}"
if session[:user_id] != nil && session[:user_id] != -1
User.find(session[:user_id])
end
end
helper_method :current_user
This is called from several different places to check the user status and decide how to render the page. (The != -1 is explained below.) On logout I reset the session:
def logout
reset_session
end
The view that is rendered includes a call to the current_user helper method to render the navigation. This page is rendered with my navigation partial showing as having no current user, and and debug logs show the session variable as cleared. However, no matter what I do, on the next page it reverts to the logged in state and I suddenly have the user authenticated again, such that the current_user is getting the correct value from session.
I have tried assigning the session a different value (such as -1) and this has the same impact. For some reason my session is restored after it is deleted. Furthermore, when I use the following:
def logout
reset_session
redirect_to root_path
end
The index page is shown with a logged in user. This is incredibly annoying. I appreciate I could use Devise etc, but this is really about the weird session behaviour.
Things I've tried:
rake tmp:sessions:clear has no effect.I'm completely stumped by this. Oh - and as a final kicker, if I delete the session cookie on browser, writing to session fails as well. So I never get it back again.
Update
Here are the logs for a login. I have deleted the cookie in my browser, and no instead of not being able to logout, I cannot login:
Started GET "/auth/google_oauth2/callbackstate=***************************&code=***********************************" for 127.0.0.1 at 2013-08-26 18:59:15 +0100
I, [2013-08-26T18:59:15.307731 #7441] INFO -- omniauth: (google_oauth2) Callback phase initiated.
Processing by UsersController#callback as HTML
Parameters: {"state"=>"*************************", "code"=>"****************************"}
User Load (0.9ms) SELECT "users".* FROM "users" WHERE "users"."uid" = '************************' LIMIT 1
(current_user) Session ID: 1
Setting user_id in session: 1 => [1]
Account Load (2.4ms) SELECT "accounts".* FROM "accounts" WHERE "accounts"."id" = $1 ORDER BY "accounts"."id" ASC LIMIT 1 [["id", 1]]
Redirected to http://127.0.0.1:3000/pages
Completed 302 Found in 103ms (ActiveRecord: 7.3ms)
Started GET "/Pages" for 127.0.0.1 at 2013-08-26 18:59:16 +0100
Processing by PagesController#index as HTML
(current_user) Session ID:
Rendered public/401.html (1.0ms)
Filter chain halted as :is_authenticated rendered or redirected
Completed 401 Unauthorized in 11ms (Views: 10.8ms | ActiveRecord: 0.0ms)
You can see the two lines marked (current user) that are both calls to my helper method (as above). I'm getting my user data from Google OAuth with OmniAuth, but that's not especially relevant. (AFAIK...)
500
Damn. I was attempting to make this app multi tenancy, and had the following in my session_store.rb:
# Be sure to restart your server when you modify this file.
MyApp::Application.config.session_store :cookie_store, key: '_MyApp_session'
#writes cookies across all subdomain of this site.
Rails.application.config.session_store :cookie_store, :key => '_my_key', :domain => ENV['APP_DOMAIN']
Apparently this is bad and causes all kinds of crazy stuff to happen with your cookies and sessions. The clue should be in the _my_key, which I think is non-standard? My guess is I got this from another SO question, without fully realising the implications.
188
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With