Session Not Persisting Across Redirect With OmniAuth and Rails 4

Question

I'm having an issue with using OmniAuth with Rails 4.0.0.beta1 where a session value set in SessionsController is not being persisted across a redirect. I am trying to figure out if it's something in my code, a bug in Rails 4, or an incompatibility with the OmniAuth gem. I'm using the OmniAuth developer strategy.

I'm not sure if this means anything, but if I put a debugger in SessionsController#create after the session[:user_id] = user.id line and inspect class the session object, I get:

ActionController::RequestForgeryProtection::ProtectionMethods::NullSession::NullSessionHash

However, if I inspect that same session class in a different application running Rails 3.2 I get:

Hash

Maybe OmniAuth cannot handle the NullSessionHash object appropriately?

sessions_controller

class SessionsController < ApplicationController
  skip_before_filter :authenticate_user!

  def create
    user = User.find_or_create_by_auth_hash(auth_hash)
    session[:user_id] = user.id
    redirect_to root_path
  end

  protected

  def auth_hash
    request.env['omniauth.auth']
  end

end

config/initializers/secret_token.rb

MyApp::Application.config.secret_key_base = 'REMOVED'

config/initializers/session_store.rb

MyApp::Application.config.session_store :encrypted_cookie_store, key: '_my_app_session'

Answer 1

It turns out this is related to an issue between Rails 4 and using the omniauth gem developer strategy. I fixed it in https://github.com/intridea/omniauth/pull/674

Update

Since the PR didn't get merged, I figured I'd post an easy solution that seems to work for most people. The issue is that the developer strategy does not include the form authenticity token, which Rails requires by default. You can disable this in your session controller with the following:

class SessionsController < ApplicationController
  skip_before_filter :verify_authenticity_token
  # ...
end