How can I change the session key “_session_id” returned to the client
from my rails apps. I’m using both 1.2.2 and 1.1.6 frameworks.
I have a strange problem. I have two rails apps that use REST to
communicate. The problematic interaction occurs when app1 uses a
redirect to point the client to app2. Both apps appear use the same
session key identifier: “_session_id”. When the re-direct occurs the
session cookie from app1 is replaced by the session cookie from app
two because they both use the same key.
Here’s some documentation on changing the primary key using in the
session database table but I haven’t been able to get it to work:
http://caboo.se/doc/classes/CGI/Session/ActiveRecordStore.html
The fifth paragraph suggests:
Note that setting the primary key to the session_id frees you from
having a separate id column if you don‘t want it.
However, you must set session.model.id = session.session_id by
hand! A before_filter on ApplicationController is a
good place.I though perhaps rails was by default deriving the
string for the session key from the primary key for the
session table and tried changing it here and in the migrations but
even though I’ve changed it every where I have found:
CGI::Session::ActiveRecordStore::Session.table_name = "#
{RAILS_APPLICATION_PREFIX}diy_sessions"
CGI::Session::ActiveRecordStore::Session.primary_key = “#
{RAILS_APPLICATION_PREFIX}diy_session_id”
I still get this suspicious error:
Mysql::Error: Unknown column ‘session_id’ in ‘where clause’: SELECT *
FROM teemss2_diy_sessions WHERE (session_id =
‘8e4863f1ca1943753def464382ce88bb’) LIMIT 1
Sure does look like there is some other place the primary key is set.
Here’s the forensics:
My logged-in user’s been working in app1 and their browser’s been
happily exchanging their session cookie back and forth with app1:
http://concord.org/app1/page/list
GET /app1/page/list HTTP/1.1
Cookie: _session_id=da43fd21e94f6096670716f0a9f71549
HTTP/1.x 200 OK
Set-Cookie: _session_id=da43fd21e94f6096670716f0a9f71549; path=/
Now they request a resource from app1 which re-directs them to app2
where the jnlp they want is actually generated:
http://concord.org/app1/page/sail_jnlp/6/1
GET /app1/page/sail_jnlp/6/1 HTTP/1.1
Cookie: _session_id=da43fd21e94f6096670716f0a9f71549
HTTP/1.x 302 Found
Set-Cookie: _session_id=da43fd21e94f6096670716f0a9f71549; path=/
App1 is the ‘portal’ they login to and interact with but app2
generates the jnlp and other resources. The response from app2
however sets a new session cookie with the same session key.
http://concord.org/app2/offering/139/jnlp/529?
sailotrunk.otmlurl=http://concord.org/app1/page/otml/6/1
GET /sds/5/offering/139/jnlp/529?sailotrunk.otmlurl=http://
concord.org/app1/page/otml/6/1 HTTP/1.1
Cookie: _session_id=da43fd21e94f6096670716f0a9f71549
HTTP/1.x 200 OK
Set-Cookie: _session_id=6df71f8e551b3b2de83d4fb0f43d7d56; path=/
When the Java program starts up it requests a REST resource to
specify the content from app1 with the sailotrunk.otmlurl url parameter:
http://concord.org/app1/page/otml/6/1
So after the webstart program has started and the user gets back to
the browser window with app1 sitting in it and clicks on the home
page link the browser sends both session cookies back to the server
but app1 now responds with an entirely new cookie and my logged-in
user is now not logged-in.
GET /app1/home HTTP/1.1
Cookie: _session_id=6df71f8e551b3b2de83d4fb0f43d7d56
_session_id=da43fd21e94f6096670716f0a9f71549
HTTP/1.x 200 OK
Set-Cookie: _session_id=99b095b227bdd6c3918841df3a6c5278; path=/