ruby-on-railssessionsession-fixation

How can I find the new session_id after the reset_session command in Rails 3?


I am using the command "reset_session" as per here to avoid Session Fixation.

After running the command I would like to store the new generated session_id in the database but session[:session_id] is not defined.

I wrote a simple test:

class ApplicationController < ActionController::Base
  protect_from_forgery
  after_filter :after_test
  def after_test
    RAILS_DEFAULT_LOGGER.debug "Old Session: #{session.inspect}"
    reset_session
    session[:random_number] = ((rand*1000).to_i)
    RAILS_DEFAULT_LOGGER.debug "New Session: #{session.inspect}"
  end
end

Result in the log for two conescutives pages load is:

Started GET "/" for 127.0.0.1 at 2011-04-16 11:42:57 +0200
Processing by WelcomeController#index as HTML
Rendered welcome/index.html.erb within layouts/application (1.9ms)
Old Session: {"random_number"=>519, "session_id"=>"d17df62e286f20bd25e2714ee4f58020", "_csrf_token"=>"NkD5ZjG/RYLolfRy0ADmr+h+Sp2TXEOQlc6HhNpyp/g="}
New Session: {:random_number=>172}
Completed 200 OK in 7ms (Views: 6.4ms | ActiveRecord: 0.0ms)

and

Started GET "/" for 127.0.0.1 at 2011-04-16 11:42:58 +0200
Processing by WelcomeController#index as HTML
Rendered welcome/index.html.erb within layouts/application (2.0ms)
Old Session: {"random_number"=>172, "session_id"=>"54f46f520c80044a9f5475af78a05502", "_csrf_token"=>"9skbBEN35jQYRgH9oQVz1D5Hsi/o9l7fm7Qx9XDNETc="}
New Session: {:random_number=>497}
Completed 200 OK in 7ms (Views: 6.4ms | ActiveRecord: 0.0ms)

As you can see the random number (172) is properly passed to the second page but the New Session does not show the new session id.

I think the new session id ("54f46f520c80044a9f5475af78a05502") is generated after the "after_filter" but I don't know how to retrieve it.


Solution

  • Yes, rails has this problem. There is a ticket - https://rails.lighthouseapp.com/projects/8994/tickets/2200-session-support-broken

    And as you can see it hasn't been resolved yet.