session become nil in application controller
It's possible that you are experiencing a CSRF Issue.
If the security token doesn't match what was expected, the session will be reset
To check if it is a CSRF issue, you can temporarily disable the protect_from_forgery line in your ApplicationController
Additionally, make sure your configuration for Session Storage is complete with secret keys in config/secrets.yml for non-production environments and as an environment variable for your production.
Secret keys can be generated with as follows in a console:
$ rake secret
82d58d3dfb91238b495a311eb8539edf5064784f1d58994679db8363ec241c745bef0b446bfe44d66cbf91a2f4e497d8f6b1ef1656e3f405b0d263a9617ac75e
Each time a new secret key is used, older sessions using other keys will not validate and the result of the session will be nil.
Comments directly from generated file config/secrets.yml (Rails 4.2):
# Be sure to restart your server when you modify this file.
# Your secret key is used for verifying the integrity of signed cookies.
# If you change this key, all old signed cookies will become invalid!
# Make sure the secret is at least 30 characters and all random,
# no regular words or you'll be exposed to dictionary attacks.
# You can use `rake secret` to generate a secure secret key.
# Make sure the secrets in this file are kept private
# if you're sharing your code publicly.
Is it possible to get id of a new session in rails?
It looks like the id is generated really late in the Rails request response cycle. As far as I understand, it's generated (randomly) in rack, which is called from here.
Possibly, you could override this method and let it return something you generated (make sure you get your crypto right) earlier in the request response cycle.
Can't delete session properly in rails
The proper way to log a user out in Rails is by invalidating the session.
def log_out
reset_session
@current_user = nil
end
The sessions work in Rails is that the visitor is issued a cookie with a session id (a hash) when they first visit the site. This is linked to a stored session (also a cookie) and rails keeps track of which session ids are valid.
reset_session invalidates the session id on the server which is very important if you want to avoid things like session fixation and replay attacks. It also issues a new session id.
Doing session.delete(:user_id) only manipulates the session storage cookie held by the client. So if the client for example sends an older cookie they would still be logged in!
Then why is it not in the tutorial?
M. Hartl's Rails Tutorial book is not officially sanctioned and while its pretty good at explaining the key concepts it contains quite a lot which is very questionable.
Sessions are getting crossed. Ruby on Rails
I'd be willing to bet you're using Passenger's (default) smart spawning, and falling victim to the Spawning Gotcha.
Set your PassengerSpawnMethod to 'conservative' and see if this goes away. This easily accounts for the memcache case, unless you are protecting against it. Presumably a similar problem in devise (or your code).
Do you see sessions cross across physical servers, or only on one server?
Related Topics
Paperclip Error: Model Missing Required Attr_Accessor for 'Avatar_File_Name'
How to Get a Linux Command Output to Chef Attribute
Regular Expression "Empty Range in Char Class Error"
Why Is This Not a Syntax Error
Difference Between Lambda and -> Operator in Ruby
When Do You Need a Require in a Rails Gemfile
Problem Installing SQLite3-Ruby!
Uploading Files in Ruby on Rails
Ruby/Pgsql Error on Rails Start:Cannot Load Such File -- Pg_Ext (Loaderror)
Ruby 'Pass by Value' Clarification
Retrieve Number from the String Pattern Using Regular Expression
How to Solve the 'Object Doesn't Support #Inspect' Error
Ruby Puts Not Outputting in Real Time
/Config/Initializers/Secret_Token.Rb Not Being Generated. Why Not