Rails also has a function called reset_session that wipes the user's session and gives him a new one. Agile Web Development with Rails says you should call the reset_session method after the user logs out of your site. This helps avoid session fixation attacks.
Unfortunately, authlogic doesn't do this automatically. Hence, I decided to do it myself. I had code like:
reset_sessionThe code works, but the message "Log out successful!" doesn't show up. Fortunately, my tests caught that. It turns out that Rails has a known bug that if you call reset_session, flash breaks. Why?
flash[:notice] = "Log out successful!"
Rails uses an idiom that looks like:
def fooThis idiom implicitly uses @foo as a cache so that calculate_foo is only called the first time the foo method is called.
@foo ||= calculate_foo
end
The great thing about caches is that they can prevent unnecessary, time-consuming work. The bad thing about them is that you have to deal with cache inconsistency problems.
flash uses this idiom:
def flashSo does the session. You might see where I'm going with this.
unless defined? @_flash
@_flash = session["flash"] ||= FlashHash.new
@_flash.sweep
end
@_flash
end
When you call reset_session, there are two caches that have become inconsistent, and the fact that there are multiple layers of cache inconsistency is what lead to the bug.
1 comment:
I think reset_session is broken again. I just upgraded to Rails 2.3.8, and I'm getting test failures related to reset_session.
This may be related: https://rails.lighthouseapp.com/projects/8994/tickets/2200-session-support-broken.
Post a Comment