I am using the command "reset_session" as per here to avoid Session Fixation.
After running the command I would like to store the new generated session_id in the database but session[:session_id] is not defined.
I wrote a simple test:
class ApplicationController < ActionController::Base
protect_from_forgery
after_filter :after_test
def after_test
RAILS_DEFAULT_LOGGER.debug "Old Session: #{session.inspect}"
reset_session
session[:random_number] = ((rand*1000).to_i)
RAILS_DEFAULT_LOGGER.debug "New Session: #{session.inspect}"
end
end
Result in the log for two conescutives pages load is:
Started GET "/" for 127.0.0.1 at 2011-04-16 11:42:57 +0200
Processing by WelcomeController#index as HTML
Rendered welcome/index.html.erb within layouts/application (1.9ms)
Old Session: {"random_number"=>519, "session_id"=>"d17df62e286f20bd25e2714ee4f58020", "_csrf_token"=>"NkD5ZjG/RYLolfRy0ADmr+h+Sp2TXEOQlc6HhNpyp/g="}
New Session: {:random_number=>172}
Completed 200 OK in 7ms (Views: 6.4ms | ActiveRecord: 0.0ms)
and
Started GET "/" for 127.0.0.1 at 2011-04-16 11:42:58 +0200
Processing by WelcomeController#index as HTML
Rendered welcome/index.html.erb within layouts/application (2.0ms)
Old Session: {"random_number"=>172, "session_id"=>"54f46f520c80044a9f5475af78a05502", "_csrf_token"=>"9skbBEN35jQYRgH9oQVz1D5Hsi/o9l7fm7Qx9XDNETc="}
New Session: {:random_number=>497}
Completed 200 OK in 7ms (Views: 6.4ms | ActiveRecord: 0.0ms)
As you can see the random number (172) is properly passed to the second page but the New Session does not show the new session id.
I think the new session id ("54f46f520c80044a9f5475af78a05502") is generated after the "after_filter" but I don't know how to retrieve it.
Yes, rails has this problem. There is a ticket - https://rails.lighthouseapp.com/projects/8994/tickets/2200-session-support-broken
And as you can see it hasn't been resolved yet.