Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Calling `reset_session` in Rails 4.0.0 not working on 2nd subsequent page

I've been building something in Rails 4.0.0 and I'm getting weird session behaviour. I have a login process that writes a value to session. Its absence is how I determine the user is not logged in:

def login
  session[:user_id] = user.id

  #Then we render a simple page...
end

To verify that that I have a valid user, I have a helper in my application_controller.rb:

def current_user
  logger.info  "(current_user) Session ID: #{request.session[:user_id]}"
  if session[:user_id] != nil && session[:user_id] != -1 
    User.find(session[:user_id])
  end
end
helper_method :current_user

This is called from several different places to check the user status and decide how to render the page. (The != -1 is explained below.) On logout I reset the session:

def logout
  reset_session
end

The view that is rendered includes a call to the current_user helper method to render the navigation. This page is rendered with my navigation partial showing as having no current user, and and debug logs show the session variable as cleared. However, no matter what I do, on the next page it reverts to the logged in state and I suddenly have the user authenticated again, such that the current_user is getting the correct value from session.

I have tried assigning the session a different value (such as -1) and this has the same impact. For some reason my session is restored after it is deleted. Furthermore, when I use the following:

def logout
  reset_session
  redirect_to root_path
end

The index page is shown with a logged in user. This is incredibly annoying. I appreciate I could use Devise etc, but this is really about the weird session behaviour.

Things I've tried:

  • Experimenting with rake tmp:sessions:clear has no effect.
  • Overwriting session value with something else.
  • Inspecting the _my_key cookie value (which never changes???) - Although I do get set values returned in the response headers with a different value...? This seems a bit odd.
  • Turbo Links has been removed.
  • Using Rails 4.0.0 and Ruby 2.0.0 p247
  • Chrome and Safari...

I'm completely stumped by this. Oh - and as a final kicker, if I delete the session cookie on browser, writing to session fails as well. So I never get it back again.

Update

Here are the logs for a login. I have deleted the cookie in my browser, and no instead of not being able to logout, I cannot login:

Started GET "/auth/google_oauth2/callbackstate=***************************&code=***********************************" for 127.0.0.1 at 2013-08-26 18:59:15 +0100 
I, [2013-08-26T18:59:15.307731 #7441]  INFO -- omniauth: (google_oauth2) Callback phase initiated.
Processing by UsersController#callback as HTML
  Parameters: {"state"=>"*************************", "code"=>"****************************"}
  User Load (0.9ms)  SELECT "users".* FROM "users" WHERE "users"."uid" = '************************' LIMIT 1
(current_user) Session ID: 1
Setting user_id in session: 1 => [1]
  Account Load (2.4ms)  SELECT "accounts".* FROM "accounts" WHERE "accounts"."id" = $1 ORDER BY "accounts"."id" ASC LIMIT 1  [["id", 1]]
Redirected to http://127.0.0.1:3000/pages
Completed 302 Found in 103ms (ActiveRecord: 7.3ms)


Started GET "/Pages" for 127.0.0.1 at 2013-08-26 18:59:16 +0100
Processing by PagesController#index as HTML
(current_user) Session ID: 
  Rendered public/401.html (1.0ms)
Filter chain halted as :is_authenticated rendered or redirected
Completed 401 Unauthorized in 11ms (Views: 10.8ms | ActiveRecord: 0.0ms)

You can see the two lines marked (current user) that are both calls to my helper method (as above). I'm getting my user data from Google OAuth with OmniAuth, but that's not especially relevant. (AFAIK...)

like image 500
xmjw Avatar asked Nov 01 '22 15:11

xmjw


1 Answers

Damn. I was attempting to make this app multi tenancy, and had the following in my session_store.rb:

# Be sure to restart your server when you modify this file.
MyApp::Application.config.session_store :cookie_store, key: '_MyApp_session'

#writes cookies across all subdomain of this site.
Rails.application.config.session_store :cookie_store, :key => '_my_key', :domain => ENV['APP_DOMAIN']

Apparently this is bad and causes all kinds of crazy stuff to happen with your cookies and sessions. The clue should be in the _my_key, which I think is non-standard? My guess is I got this from another SO question, without fully realising the implications.

like image 188
xmjw Avatar answered Nov 08 '22 08:11

xmjw