Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Rack 2.1.1+ breaks session_id #154

Open
shleeable opened this issue Jan 27, 2020 · 5 comments
Open

Rack 2.1.1+ breaks session_id #154

shleeable opened this issue Jan 27, 2020 · 5 comments

Comments

@shleeable
Copy link

The issue on master mentioned by @kaoru probably needs to be fixed in activerecord-session-store. It should now store and lookup the private_id of the session_id object in the database. The previous way of looking up the session directly using the session_id is prone to a timing attack, which is the reason rack's API was changed.

Originally posted by @jeremyevans in rack/rack#1522 (comment)
@shleeable shleeable changed the title Rack 2.1.1+ Rack 2.1.1+ breaks session_id Jan 27, 2020
@kaoru kaoru mentioned this issue Jan 27, 2020
Closed
@kaoru
Copy link

kaoru commented Jan 27, 2020

Duplicating my comment from rack/rack#1522 here, with some small updates to include ActiveRecord Session Store versions:

Rack 2.1.1, ActiveRecord Session Store 1.1.3

NoMethodError
undefined method `transform_keys' for #<ActionDispatch::Request::Session:0x00007fd3d0f3d170>

rack (2.1.1) lib/rack/session/abstract/id.rb:212:in `stringify_keys'
rack (2.1.1) lib/rack/session/abstract/id.rb:148:in `update'
rack (2.1.1) lib/rack/session/abstract/id.rb:317:in `prepare_session'
rack (2.1.1) lib/rack/session/abstract/id.rb:276:in `context'
rack (2.1.1) lib/rack/session/abstract/id.rb:271:in `call'
rack (2.1.1) lib/rack/urlmap.rb:77:in `block in call'
rack (2.1.1) lib/rack/urlmap.rb:61:in `each'
rack (2.1.1) lib/rack/urlmap.rb:61:in `call'
rack (2.1.1) lib/rack/builder.rb:176:in `call'
sidekiq (6.0.3) lib/sidekiq/web.rb:104:in `call'
sidekiq (6.0.3) lib/sidekiq/web.rb:109:in `call'
actionpack (6.0.2.1) lib/action_dispatch/routing/mapper.rb:19:in `block in <class:Constraints>'
actionpack (6.0.2.1) lib/action_dispatch/routing/mapper.rb:48:in `serve'
actionpack (6.0.2.1) lib/action_dispatch/journey/router.rb:49:in `block in serve'
actionpack (6.0.2.1) lib/action_dispatch/journey/router.rb:32:in `each'
actionpack (6.0.2.1) lib/action_dispatch/journey/router.rb:32:in `serve'
actionpack (6.0.2.1) lib/action_dispatch/routing/route_set.rb:837:in `call'
meta_request (0.7.2) lib/meta_request/middlewares/app_request_handler.rb:13:in `call'
meta_request (0.7.2) lib/meta_request/middlewares/meta_request_handler.rb:13:in `call'
rack-attack (6.2.1) lib/rack/attack.rb:156:in `call'
remotipart (1.4.3) lib/remotipart/middleware.rb:32:in `call'
warden (1.2.8) lib/warden/manager.rb:36:in `block in call'
warden (1.2.8) lib/warden/manager.rb:34:in `catch'
warden (1.2.8) lib/warden/manager.rb:34:in `call'
rack (2.1.1) lib/rack/tempfile_reaper.rb:17:in `call'
rack (2.1.1) lib/rack/etag.rb:27:in `call'
rack (2.1.1) lib/rack/conditional_get.rb:27:in `call'
rack (2.1.1) lib/rack/head.rb:14:in `call'
actionpack (6.0.2.1) lib/action_dispatch/http/content_security_policy.rb:18:in `call'
rack (2.1.1) lib/rack/session/abstract/id.rb:277:in `context'
rack (2.1.1) lib/rack/session/abstract/id.rb:271:in `call'
actionpack (6.0.2.1) lib/action_dispatch/middleware/cookies.rb:648:in `call'
activerecord (6.0.2.1) lib/active_record/migration.rb:567:in `call'
actionpack (6.0.2.1) lib/action_dispatch/middleware/callbacks.rb:27:in `block in call'
activesupport (6.0.2.1) lib/active_support/callbacks.rb:101:in `run_callbacks'
actionpack (6.0.2.1) lib/action_dispatch/middleware/callbacks.rb:26:in `call'
actionpack (6.0.2.1) lib/action_dispatch/middleware/executor.rb:14:in `call'
actionpack (6.0.2.1) lib/action_dispatch/middleware/actionable_exceptions.rb:17:in `call'
actionpack (6.0.2.1) lib/action_dispatch/middleware/debug_exceptions.rb:32:in `call'
rack-contrib (2.1.0) lib/rack/contrib/response_headers.rb:17:in `call'
meta_request (0.7.2) lib/meta_request/middlewares/headers.rb:16:in `call'
actionpack (6.0.2.1) lib/action_dispatch/middleware/show_exceptions.rb:33:in `call'
railties (6.0.2.1) lib/rails/rack/logger.rb:38:in `call_app'
railties (6.0.2.1) lib/rails/rack/logger.rb:26:in `block in call'
activesupport (6.0.2.1) lib/active_support/tagged_logging.rb:80:in `block in tagged'
activesupport (6.0.2.1) lib/active_support/tagged_logging.rb:28:in `tagged'
activesupport (6.0.2.1) lib/active_support/tagged_logging.rb:80:in `tagged'
railties (6.0.2.1) lib/rails/rack/logger.rb:26:in `call'
actionpack (6.0.2.1) lib/action_dispatch/middleware/remote_ip.rb:81:in `call'
request_store (1.4.1) lib/request_store/middleware.rb:19:in `call'
actionpack (6.0.2.1) lib/action_dispatch/middleware/request_id.rb:27:in `call'
rack (2.1.1) lib/rack/method_override.rb:24:in `call'
rack (2.1.1) lib/rack/runtime.rb:24:in `call'
rack-attack (6.2.1) lib/rack/attack.rb:170:in `call'
activesupport (6.0.2.1) lib/active_support/cache/strategy/local_cache_middleware.rb:29:in `call'
actionpack (6.0.2.1) lib/action_dispatch/middleware/executor.rb:14:in `call'
actionpack (6.0.2.1) lib/action_dispatch/middleware/static.rb:126:in `call'
rack (2.1.1) lib/rack/sendfile.rb:113:in `call'
actionpack (6.0.2.1) lib/action_dispatch/middleware/host_authorization.rb:83:in `call'
webpacker (4.2.2) lib/webpacker/dev_server_proxy.rb:23:in `perform_request'
rack-proxy (0.6.5) lib/rack/proxy.rb:57:in `call'
railties (6.0.2.1) lib/rails/engine.rb:526:in `call'
puma (4.3.1) lib/puma/configuration.rb:228:in `call'
puma (4.3.1) lib/puma/server.rb:681:in `handle_request'
puma (4.3.1) lib/puma/server.rb:472:in `process_client'
puma (4.3.1) lib/puma/server.rb:328:in `block in run'
puma (4.3.1) lib/puma/thread_pool.rb:134:in `block in spawn_thread'

Rack master (rack/rack@0155690), ActiveRecord Session Store 1.1.3

TypeError
can't cast Rack::Session::SessionId

activerecord (6.0.2.1) lib/active_record/connection_adapters/abstract/quoting.rb:34:in `rescue in type_cast'
activerecord (6.0.2.1) lib/active_record/connection_adapters/abstract/quoting.rb:24:in `type_cast'
activerecord (6.0.2.1) lib/active_record/connection_adapters/abstract/quoting.rb:203:in `block in type_casted_binds'
activerecord (6.0.2.1) lib/active_record/connection_adapters/abstract/quoting.rb:203:in `map'
activerecord (6.0.2.1) lib/active_record/connection_adapters/abstract/quoting.rb:203:in `type_casted_binds'
activerecord (6.0.2.1) lib/active_record/connection_adapters/postgresql_adapter.rb:682:in `exec_cache'
activerecord (6.0.2.1) lib/active_record/connection_adapters/postgresql_adapter.rb:655:in `execute_and_clear'
activerecord (6.0.2.1) lib/active_record/connection_adapters/postgresql/database_statements.rb:98:in `exec_query'
activerecord (6.0.2.1) lib/active_record/connection_adapters/abstract/database_statements.rb:491:in `select_prepared'
activerecord (6.0.2.1) lib/active_record/connection_adapters/abstract/database_statements.rb:68:in `select_all'
activerecord (6.0.2.1) lib/active_record/connection_adapters/abstract/query_cache.rb:105:in `block in select_all'
activerecord (6.0.2.1) lib/active_record/connection_adapters/abstract/query_cache.rb:123:in `block in cache_sql'
/Users/alex/.rbenv/versions/2.6.5/lib/ruby/2.6.0/monitor.rb:235:in `mon_synchronize'
activerecord (6.0.2.1) lib/active_record/connection_adapters/abstract/query_cache.rb:114:in `cache_sql'
activerecord (6.0.2.1) lib/active_record/connection_adapters/abstract/query_cache.rb:105:in `select_all'
activerecord (6.0.2.1) lib/active_record/querying.rb:46:in `find_by_sql'
activerecord (6.0.2.1) lib/active_record/relation.rb:810:in `block in exec_queries'
activerecord (6.0.2.1) lib/active_record/relation.rb:828:in `skip_query_cache_if_necessary'
activerecord (6.0.2.1) lib/active_record/relation.rb:797:in `exec_queries'
activerecord (6.0.2.1) lib/active_record/relation.rb:615:in `load'
activerecord (6.0.2.1) lib/active_record/relation.rb:250:in `records'
activerecord (6.0.2.1) lib/active_record/relation.rb:245:in `to_ary'
activerecord (6.0.2.1) lib/active_record/relation/finder_methods.rb:528:in `find_nth_with_limit'
activerecord (6.0.2.1) lib/active_record/relation/finder_methods.rb:513:in `find_nth'
activerecord (6.0.2.1) lib/active_record/relation/finder_methods.rb:120:in `first'
activerecord-session_store (1.1.3) lib/active_record/session_store/session.rb:58:in `find_by_session_id'
activerecord-session_store (1.1.3) lib/action_dispatch/session/active_record_store.rb:124:in `block in get_session_model'
activerecord-session_store (1.1.3) lib/active_record/session_store/extension/logger_silencer.rb:47:in `silence_logger'
activerecord-session_store (1.1.3) lib/action_dispatch/session/active_record_store.rb:123:in `get_session_model'
activerecord-session_store (1.1.3) lib/action_dispatch/session/active_record_store.rb:83:in `block in write_session'
activerecord-session_store (1.1.3) lib/active_record/session_store/extension/logger_silencer.rb:47:in `silence_logger'
activerecord-session_store (1.1.3) lib/action_dispatch/session/active_record_store.rb:82:in `write_session'
rack (01556901e519) lib/rack/session/abstract/id.rb:396:in `commit_session'
rack (01556901e519) lib/rack/session/abstract/id.rb:276:in `context'
rack (01556901e519) lib/rack/session/abstract/id.rb:268:in `call'
actionpack (6.0.2.1) lib/action_dispatch/middleware/cookies.rb:648:in `call'
activerecord (6.0.2.1) lib/active_record/migration.rb:567:in `call'
actionpack (6.0.2.1) lib/action_dispatch/middleware/callbacks.rb:27:in `block in call'
activesupport (6.0.2.1) lib/active_support/callbacks.rb:101:in `run_callbacks'
actionpack (6.0.2.1) lib/action_dispatch/middleware/callbacks.rb:26:in `call'
actionpack (6.0.2.1) lib/action_dispatch/middleware/executor.rb:14:in `call'
actionpack (6.0.2.1) lib/action_dispatch/middleware/actionable_exceptions.rb:17:in `call'
actionpack (6.0.2.1) lib/action_dispatch/middleware/debug_exceptions.rb:32:in `call'
rack-contrib (2.1.0) lib/rack/contrib/response_headers.rb:17:in `call'
meta_request (0.7.2) lib/meta_request/middlewares/headers.rb:16:in `call'
actionpack (6.0.2.1) lib/action_dispatch/middleware/show_exceptions.rb:33:in `call'
railties (6.0.2.1) lib/rails/rack/logger.rb:38:in `call_app'
railties (6.0.2.1) lib/rails/rack/logger.rb:26:in `block in call'
activesupport (6.0.2.1) lib/active_support/tagged_logging.rb:80:in `block in tagged'
activesupport (6.0.2.1) lib/active_support/tagged_logging.rb:28:in `tagged'
activesupport (6.0.2.1) lib/active_support/tagged_logging.rb:80:in `tagged'
railties (6.0.2.1) lib/rails/rack/logger.rb:26:in `call'
actionpack (6.0.2.1) lib/action_dispatch/middleware/remote_ip.rb:81:in `call'
request_store (1.4.1) lib/request_store/middleware.rb:19:in `call'
actionpack (6.0.2.1) lib/action_dispatch/middleware/request_id.rb:27:in `call'
rack (01556901e519) lib/rack/method_override.rb:24:in `call'
rack (01556901e519) lib/rack/runtime.rb:24:in `call'
rack-attack (6.2.1) lib/rack/attack.rb:170:in `call'
activesupport (6.0.2.1) lib/active_support/cache/strategy/local_cache_middleware.rb:29:in `call'
actionpack (6.0.2.1) lib/action_dispatch/middleware/executor.rb:14:in `call'
actionpack (6.0.2.1) lib/action_dispatch/middleware/static.rb:126:in `call'
rack (01556901e519) lib/rack/sendfile.rb:113:in `call'
actionpack (6.0.2.1) lib/action_dispatch/middleware/host_authorization.rb:83:in `call'
webpacker (4.2.2) lib/webpacker/dev_server_proxy.rb:23:in `perform_request'
rack-proxy (0.6.5) lib/rack/proxy.rb:57:in `call'
railties (6.0.2.1) lib/rails/engine.rb:526:in `call'
puma (4.3.1) lib/puma/configuration.rb:228:in `call'
puma (4.3.1) lib/puma/server.rb:681:in `handle_request'
puma (4.3.1) lib/puma/server.rb:472:in `process_client'
puma (4.3.1) lib/puma/server.rb:328:in `block in run'
puma (4.3.1) lib/puma/thread_pool.rb:134:in `block in spawn_thread'

Let me know if I can provide any additional information 😄

@jskirst
Copy link

jskirst commented Jul 22, 2020
edited
Loading

Running into this issue as well - seems like it would be fairly widespread at this point but odd no on else has chimed in. This is an issue for me in a standard Rails application but not in a Rails API-only application.

Update: I was able to resolve my issue by modifying my config/initializers/session_store.rb code to the following:

Rails.application.config.session_store :active_record_store, key: '.....

It had originally been the following, which had worked for my Rails API-only application.

Rails.application.config.middleware.use ActionDispatch::Cookies
Rails.application.config.middleware.insert_after(ActionDispatch::Cookies, ActionDispatch::Session::ActiveRecordStore, key: '...

@mperham mperham mentioned this issue Nov 2, 2020
Closed
@wimpog
Copy link

wimpog commented Nov 2, 2020

@jskirst I have the same thing as you and it doesn't fix my issue.

@wimpog
Copy link

wimpog commented Nov 2, 2020

Any update on this issue?

@synth
Copy link

synth commented Mar 27, 2021

We are hitting this as well after upgrading to 2.0 of this gem. In our case, we have middleware for fast autocomplete/typeahead functionality.

We look up the session with:

session = ActiveRecord::SessionStore::Session.find_by_session_id( request.cookies[session_key] )

request.cookies[session_key] is different than what is in the session_id in the database and so the above no longer works.

However, we were able to solve it with:

sid = Rack::Session::SessionId.new( request.cookies[session_key] )
sid.public_id # maps to what is stored in the cookie, obvs
sid.private_id # maps to what is stored in the database
session = ActiveRecord::SessionStore::Session.find_by_session_id( sid.private_id )

I don't know if this is the best, most idiomatic way to solve this but it works for us for now.

@bdunne bdunne mentioned this issue Dec 6, 2021
Merged
@h0jeZvgoxFepBQ2C h0jeZvgoxFepBQ2C mentioned this issue Aug 23, 2022
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@synth @kaoru @jskirst @wimpog @shleeable