Is rodauth deleting keys from my session?

[jesseduffield]

I've got an intermittent issue where it appears that some keys that I've set in my session are being deleted, and I suspect rodauth may be the culprit. I can go from having the following keys in my session:

[
    [0] "session_id",
    [1] "customer_account_id",
    [2] "customer_active_session_id",
    [3] "customer_authenticated_by",
    [4] "customer_two_factor_auth_setup",
    [5] "my_key",
    [6] "my_key_2"
]

To having my_key and my_key_2 removed. I suspect that rodauth is clearing the session and re-setting its own values in the session, such that my own session values are cleared too.

Here's my RodauthApp:

class RodauthApp < Rodauth::Rails::App
  configure RodauthCustomerPortal, :customer_portal
  configure RodauthAdminPortal, :admin_portal

  route do |r|
    rodauth(:customer_portal).check_active_session
    rodauth(:admin_portal).check_active_session

    r.rodauth(:customer_portal)
    r.rodauth(:admin_portal)
  end
end

And here's my rudimentary test that rodauth is capable of clearing my session internally (Using the clear_session method which I've found from looking at the rodauth codebase:

class RodauthApp < Rodauth::Rails::App
  configure RodauthCustomerPortal, :customer_portal
  configure RodauthAdminPortal, :admin_portal

  route do |r|
    rodauth(:customer_portal).check_active_session
    rodauth(:admin_portal).check_active_session

    session[:test] = "test"
    ap session.keys
    rodauth(:customer_portal).clear_session
    ap session.keys

    r.rodauth(:customer_portal) # route customer rodauth requests
    r.rodauth(:admin_portal) # route admin rodauth requests
  end
end

Which spits out:

[
    [0] "session_id",
    [1] "test"
]

[
    [0] "session_id"
]

I'd like to know:

• is this expected behaviour
• if not, how can I investigate to find out where my session values are being cleared?

Thanks!

[janko]

Yes, that's expected behavior, Rodauth clears the entire session when on login and logout. This is to prevent session fixation attacks, see https://guides.rubyonrails.org/security.html#session-fixation-countermeasures.

As far as I know, Devise/Warden also resets the session on logout, though it doesn't seem to do it on login.

[jesseduffield]

Thanks for the fast response. Although what's confusing is that this does not occur on login or logout: my user is already logged in, and after the issue, my user is still able to click around the app fine.

I'm not sure whether it makes a difference but I notice the issue as part of an oauth flow with another app i.e. when a user adds an integration in our app, we redirect them to the relevant site, then when that site redirects the browser to our callback endpoint, it seems our session state has disappeared (but the rodauth-specific session state is still there). I don't know whether the fact that the user has returned from another site makes a difference; it's just that this is the only flow in our site that involves manually setting session keys (for the sake of oauth state comparison in the callback endpoint) and so naturally it's in this flow that we discover this strange behaviour.

I'm wondering if perhaps the session is being periodically reset by rodauth as part of some kind of intermittent process, e.g. checking if the session is still active. Maybe occasionally the oauth callback endpoint on my end is hit at the same time that rodauth resets the session.

EDIT: For example, I'm using the active sessions feature and I can see in rodauth's code that sometimes it clears the session right before setting it again: https://github.com/jeremyevans/rodauth/blob/ec8be20e8a42f2988be429dda30aa84974124083/lib/rodauth/features/active_sessions.rb#L123
I don't fully understand what's happening in that code though

[janko]

If you still stay logged in when this happens, then it doesn't seem to me like active_sessions is responsible for this behavior. The #check_active_session call clears the session hash when the active session expires, and then redirects.

Have you tried disabling active_sessions and seeing if it still happens? Does it currently happen consistently? Without knowing the details of the OAuth flow and a minimal example that reproduces the issue, I don't think I'll be able to pinpoint the issue.

I'll convert this into a discussion, because it doesn't appear to be a bug in rodauth-rails.

[jesseduffield]

It doesn't happen consistently, but I'll see if I can reliably reproduce it somehow. I'll also try disabling active_sessions and seeing how that goes.

[jesseduffield]

I found out what the problem was: I was making multiple simultaneous requests from my SPA frontend: one which set oauth state in the session, and one which didn't. There was a race condition which led to the non-oauth request updating the session and overwriting the contents of the oauth request. The reason I suspected rodauth was the culprit was that the session still had rodauth values in it, but that's just because that's what was present in the prior request.

Rails typically re-writes the session with each request so this is to be expected. I solved the issue by just storing oauth state in a separate cookie. Thanks for bearing with me!