Rails 3 is changing session ID on POST from AIR

Question

I have a REST API in Rails 3 being accessed sometimes from an AIR application and sometimes from the browser.

I think this is a Rails 3 problem but it might be a Flex/AIR problem.

The Rails app uses omniauth for authentication, cancan for authorization, and active_record_store. I use the session model to store the identity of the user.

(There is a reason I'm not using cookie sessions, having to do with AIR for Android, OAuth, and StageWebView.)

I'm using Charles to monitor HTTP traffic.

Most requests work fine. The browser (or the AIR client) sends the session ID to the server using the Cookie http header, like this:

_session_id=950dee7eca6732aa62b5f91876f66d15

And Rails finds the session, figures out who the user is, and does its thing.

But under certain circumstances, Rails generates a new session before sending the response. It adds a session to the sessions table, and returns a Set-Cookie header to the client with a new session ID. Like this:

_session_id=e1489a6b610c0a1d13cec1454228ae47; path=/; HttpOnly

The circumstances under which this happens are:

• The request comes from the AIR client
• The request is a POST

This is obviously a problem, because on subsequent requests, Rails can't find the user information. It created a new session without that information.

So I'm looking at the HTTP headers for the POST request. Here's a copy/paste from Charles; I inserted the colon after the header name to make it readable.

Host: localhost.seti.hg94.com:3000
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X; en) AppleWebKit/531.9 (KHTML, like Gecko) AdobeAIR/2.6
Referer: app:/AndroidApplication.swf
X-Flash-Version: 10,2,152,22
Accept: */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
Cookie: _session_id=950dee7eca6732aa62b5f91876f66d15
Content-Length: 84
Connection: keep-alive

Does anyone have any insight into why Rails would generate a new session under those circumstances? It seems to be happening after my controller code executes, since I have the correct session information in the controller.

I'm busy trying to isolate the problem further, control the headers from within AIR, and so on. I've been working on this bug for almost a week. So any insight or suggestions from the community would be greatly appreciated.

Answer 1

Only a guess, but it seems like you're not bringing across the CSRF token that Rails generates for all POST-based requests:

http://guides.rubyonrails.org/security.html#cross-site-request-forgery-csrf