Rails: Cache Inconsistency Caused by a Common Rails Idiom

-
Rails has a feature called "flash". Anything put in the flash is available on the next page load. It's based on the session, but it goes away after the next page load. It's perfect for saving a message for the user even if you're going to do a redirect.

Rails also has a function called reset_session that wipes the user's session and gives him a new one. Agile Web Development with Rails says you should call the reset_session method after the user logs out of your site. This helps avoid session fixation attacks.

Unfortunately, authlogic doesn't do this automatically. Hence, I decided to do it myself. I had code like:
reset_session
flash[:notice] = "Log out successful!"
The code works, but the message "Log out successful!" doesn't show up. Fortunately, my tests caught that. It turns out that Rails has a known bug that if you call reset_session, flash breaks. Why?

Rails uses an idiom that looks like:
def foo
  @foo ||= calculate_foo
end
This idiom implicitly uses @foo as a cache so that calculate_foo is only called the first time the foo method is called.

The great thing about caches is that they can prevent unnecessary, time-consuming work. The bad thing about them is that you have to deal with cache inconsistency problems.

flash uses this idiom:
def flash
  unless defined? @_flash
    @_flash = session["flash"] ||= FlashHash.new
    @_flash.sweep
  end

  @_flash
end
So does the session. You might see where I'm going with this.

When you call reset_session, there are two caches that have become inconsistent, and the fact that there are multiple layers of cache inconsistency is what lead to the bug.

Comments

Shannon -jj Behrens said…
I think reset_session is broken again. I just upgraded to Rails 2.3.8, and I'm getting test failures related to reset_session.

This may be related: https://rails.lighthouseapp.com/projects/8994/tickets/2200-session-support-broken.
7:40 PM
Post a Comment