How can I change the value of the session key

How can I change the session key “_session_id” returned to the client
from my rails apps. I’m using both 1.2.2 and 1.1.6 frameworks.

I have a strange problem. I have two rails apps that use REST to
communicate. The problematic interaction occurs when app1 uses a
redirect to point the client to app2. Both apps appear use the same
session key identifier: “_session_id”. When the re-direct occurs the
session cookie from app1 is replaced by the session cookie from app
two because they both use the same key.

Here’s some documentation on changing the primary key using in the
session database table but I haven’t been able to get it to work:

http://caboo.se/doc/classes/CGI/Session/ActiveRecordStore.html

The fifth paragraph suggests:

Note that setting the primary key to the session_id frees you from
having a separate id column if you don‘t want it.
However, you must set session.model.id = session.session_id by
hand! A before_filter on ApplicationController is a
good place.I though perhaps rails was by default deriving the
string for the session key from the primary key for the
session table and tried changing it here and in the migrations but
even though I’ve changed it every where I have found:

CGI::Session::ActiveRecordStore::Session.table_name = "#

{RAILS_APPLICATION_PREFIX}diy_sessions"
CGI::Session::ActiveRecordStore::Session.primary_key = “#
{RAILS_APPLICATION_PREFIX}diy_session_id”

I still get this suspicious error:

Mysql::Error: Unknown column ‘session_id’ in ‘where clause’: SELECT *
FROM teemss2_diy_sessions WHERE (session_id =
‘8e4863f1ca1943753def464382ce88bb’) LIMIT 1

Sure does look like there is some other place the primary key is set.

Here’s the forensics:

My logged-in user’s been working in app1 and their browser’s been
happily exchanging their session cookie back and forth with app1:

http://concord.org/app1/page/list

GET /app1/page/list HTTP/1.1
Cookie: _session_id=da43fd21e94f6096670716f0a9f71549

HTTP/1.x 200 OK
Set-Cookie: _session_id=da43fd21e94f6096670716f0a9f71549; path=/


Now they request a resource from app1 which re-directs them to app2
where the jnlp they want is actually generated:

http://concord.org/app1/page/sail_jnlp/6/1

GET /app1/page/sail_jnlp/6/1 HTTP/1.1
Cookie: _session_id=da43fd21e94f6096670716f0a9f71549

HTTP/1.x 302 Found
Set-Cookie: _session_id=da43fd21e94f6096670716f0a9f71549; path=/


App1 is the ‘portal’ they login to and interact with but app2
generates the jnlp and other resources. The response from app2
however sets a new session cookie with the same session key.

http://concord.org/app2/offering/139/jnlp/529?
sailotrunk.otmlurl=http://concord.org/app1/page/otml/6/1

GET /sds/5/offering/139/jnlp/529?sailotrunk.otmlurl=http://
concord.org/app1/page/otml/6/1 HTTP/1.1
Cookie: _session_id=da43fd21e94f6096670716f0a9f71549

HTTP/1.x 200 OK
Set-Cookie: _session_id=6df71f8e551b3b2de83d4fb0f43d7d56; path=/

When the Java program starts up it requests a REST resource to
specify the content from app1 with the sailotrunk.otmlurl url parameter:

http://concord.org/app1/page/otml/6/1


So after the webstart program has started and the user gets back to
the browser window with app1 sitting in it and clicks on the home
page link the browser sends both session cookies back to the server
but app1 now responds with an entirely new cookie and my logged-in
user is now not logged-in.

http://concord.org/app1/home

GET /app1/home HTTP/1.1
Cookie: _session_id=6df71f8e551b3b2de83d4fb0f43d7d56
_session_id=da43fd21e94f6096670716f0a9f71549

HTTP/1.x 200 OK
Set-Cookie: _session_id=99b095b227bdd6c3918841df3a6c5278; path=/

I want to customize map.resources so it uses a uid in the URL instead
of the database id. The uid is a field on my object.

So I have map.resources :things in routes.rb and I can update a thing
by accessing POST /thing/1. Instead I want to update the thing by
POST /thing/80ed14ce098affc2 The thing has an id of 1 and a uid of
80ed14ce098affc2

Any options other then getting rid of map.resources and explicitly
defining all the REST routes?

Thanks
Andy

Stephen B. wrote the following on 09.02.2007 23:10 :

Here’s some documentation on changing the primary key using in the
session database table but I haven’t been able to get it to work:

http://caboo.se/doc/classes/CGI/Session/ActiveRecordStore.html

I don’t think you want to change the column used to store the cookie.
You don’t want your applications cookies to overlap. You can do it
either by using different system names (accessing your applications
through http://app.concord.org instead of http://concord.org/app)
or by using the path attribute of the cookie header.

[…]

GET /app1/page/list HTTP/1.1
Cookie: _session_id=da43fd21e94f6096670716f0a9f71549

HTTP/1.x 200 OK
Set-Cookie: _session_id=da43fd21e94f6096670716f0a9f71549; path=/

Here, if Rails used :

Set-Cookie: _session_id=da43fd21e94f6096670716f0a9f71549; path=/app1

and in app2 later :

Set-Cookie: _session_id=6df71f8e551b3b2de83d4fb0f43d7d56; path=/

Set-Cookie: _session_id=6df71f8e551b3b2de83d4fb0f43d7d56; path=/app2
instead

You wouln’t have these problems.

I believe that using

ActionController::Base.session_options[:session_path] = “/app”

in environment.rb would solve your problem (not tested).

You could eliminate this problem by sharing the session store between
your applications if need be (this require that you can indeed share
the session data between your applications).

Lionel.

Stephen B. wrote:

How can I change the session key “_session_id” returned to the client
from my rails apps. I’m using both 1.2.2 and 1.1.6 frameworks.

Wouldn’t

class ApplicationController < ActionController::Base
# Pick a unique cookie name to distinguish our session data from
others’
session :session_key => ‘_some_unique_session_id’
end

do what you’re after?