Lost session with file upload

I’ve search this group for reports of this problem but didn’t find
anything useful.

I am doing the following with plain vanilla Rails 1.1.6 running WEBrick.

View:

Upload photo

Controller:
def post_photo
session[:photo_original_filename] = params[:photo][:original_filename]
redirect_to :controller => ‘home’, :action => ‘index’
end

Problem:
I login with a user account and have access to all member-only pages.
Then I access the file upload view, select a local file and press the
[Upload] button.
I was supposed to be redirected to /home/index where
session[:photo_original_filename] is displayed.
However I was redirected to the Login page instead. This was because my
authenticate user filter had
failed when it shouldn’t.

I figure the session may have changed so I recorded the session_id
before and after [Upload] button
was pressed. They were indeed different.

Next, I remove the enctype=“multipart/form-data” part from the form
declaration. I perform the steps
again and was redirected /home/index, as expected (with my current
session remained in tact).

So, I don’t know what the problem is and do hope someone could provide
some insight.

Much appreciated,

– Long

Well, I tried a few more things and found the culprit:

I removed the above line and the file upload work as expected (well
almost). It seems there is
something quirky with enctype= and _session_id processing.

Bug: params[:photo][:original_filename] should be
params[:photo].original_filename

Hope this will be useful to some for reference.

Cheers,

– Long

----- Original Message -----
From: “Long” [email protected]
To: [email protected]
Sent: Friday, August 31, 2007 12:04 AM
Subject: [Rails] Lost session with file upload

I login with a user account and have access to all member-only pages. Then I access the file upload view, select a local file and press the [Upload] button. I was supposed to be redirected to /home/index where session[:photo_original_filename] is

displayed.

However I was redirected to the Login page instead. This was because my authenticate user filter
had
failed when it shouldn’t.

I figure the session may have changed so I recorded the session_id before and after [Upload]
button
was pressed. They were indeed different.

Next, I remove the enctype=“multipart/form-data” part from the form declaration. I perform the
steps

Hi Long,
this is my personal experience, even if you don’t put _session_id in
any of your form, still the _session_id will be sent as part of each
request
which is stored in the browser side cookies, and these values are of
32-character length, and randomly generated by rails for each success-
full
authorization and they will be used for serialization of “session”
attribute of action_controller under the directory “tmp/sessions/”.
This folder contains “ruby-session-#{_session_id}” files which will be
red at each request and de-serialized to populate session hash.
So, since you hard-coded the value of _session_id in your form it
always goto that file which contains this value as part of file name,
which obviously
takes you to a different session than what you usually expect.

Hi,

Sorry I should have written ‘Generated View’ instead since it was copied
from my Browser using view
source.

I agree with your point, for browsers with default settings (cookies
enabled). However, I don’t
think we can (should) trust browsers to pass cookies in all cases. That
was my reason for including
the session id in a hidden field. It works fine for regular forms on
browsers with and without
cookies support, and not just with Rails.

I believe this is a Rails bug (at least in 1.1.6) and hope someone from
Rails Core can use what I’ve
document here to investigate further.

Regards,

– Long

----- Original Message -----
From: “raghukumar” [email protected]
To: “Ruby on Rails: Talk” [email protected]
Sent: Saturday, September 01, 2007 9:30 AM
Subject: [Rails] Re: Lost session with file upload - resolved

This folder contains “ruby-session-#{_session_id}” files which will be

I’ve search this group for reports of this problem but didn’t find anything useful.

I was supposed to be redirected to /home/index where session[:photo_original_filename] is

displayed.

However I was redirected to the Login page instead. This was because my authenticate user
filter

If the user agent disables cookies, there’s not much point to trying
to use session, is there?

Rein

Sure, if there is a will there is a way… :wink:

http://edgesoft.ca/blog/read/2 - No-Cookie Session Support plugin

– Long

----- Original Message -----
From: [email protected]
To: “Ruby on Rails: Talk” [email protected]
Sent: Saturday, September 01, 2007 1:22 PM
Subject: [Rails] Re: Lost session with file upload - resolved

If the user agent disables cookies, there’s not much point to trying
to use session, is there?

Rein

On Sep 1, 2:17 pm, “Long” [email protected] wrote:

Hi,

Sorry I should have written ‘Generated View’ instead since it was copied from my Browser using
view
source.

I agree with your point, for browsers with default settings (cookies enabled). However, I don’t
think we can (should) trust browsers to pass cookies in all cases. That was my reason for
including
the session id in a hidden field. It works fine for regular forms on browsers with and without
cookies support, and not just with Rails.

I believe this is a Rails bug (at least in 1.1.6) and hope someone from Rails Core can use what
I’ve
To: “Ruby on Rails: Talk” [email protected]

authorization and they will be used for serialization of “session”

I removed the above line and the file upload work as expected (well almost). It seems there
is
----- Original Message -----

redirect_to :controller => 'home', :action => 'index' failed when it shouldn't.

I figure the session may have changed so I recorded the session_id before and after
[Upload]
button
was pressed. They were indeed different.

Next, I remove the enctype=“multipart/form-data” part from the form declaration. I perform
the
steps
again and was redirected /home/index, as expected (with my current session remained in
tact).