Rails has a feature called "flash". Anything put in the flash is available on the next page load. It's based on the session, but it goes away after the next page load. It's perfect for saving a message for the user even if you're going to do a redirect.
Rails also has a function called reset_session that wipes the user's session and gives him a new one. Agile Web Development with Rails says you should call the reset_session method after the user logs out of your site. This helps avoid session fixation attacks.
Unfortunately, authlogic doesn't do this automatically. Hence, I decided to do it myself. I had code like:
Rails uses an idiom that looks like:
The great thing about caches is that they can prevent unnecessary, time-consuming work. The bad thing about them is that you have to deal with cache inconsistency problems.
flash uses this idiom:
When you call reset_session, there are two caches that have become inconsistent, and the fact that there are multiple layers of cache inconsistency is what lead to the bug.
Rails also has a function called reset_session that wipes the user's session and gives him a new one. Agile Web Development with Rails says you should call the reset_session method after the user logs out of your site. This helps avoid session fixation attacks.
Unfortunately, authlogic doesn't do this automatically. Hence, I decided to do it myself. I had code like:
reset_sessionThe code works, but the message "Log out successful!" doesn't show up. Fortunately, my tests caught that. It turns out that Rails has a known bug that if you call reset_session, flash breaks. Why?
flash[:notice] = "Log out successful!"
Rails uses an idiom that looks like:
def fooThis idiom implicitly uses @foo as a cache so that calculate_foo is only called the first time the foo method is called.
@foo ||= calculate_foo
end
The great thing about caches is that they can prevent unnecessary, time-consuming work. The bad thing about them is that you have to deal with cache inconsistency problems.
flash uses this idiom:
def flashSo does the session. You might see where I'm going with this.
unless defined? @_flash
@_flash = session["flash"] ||= FlashHash.new
@_flash.sweep
end
@_flash
end
When you call reset_session, there are two caches that have become inconsistent, and the fact that there are multiple layers of cache inconsistency is what lead to the bug.
Comments
This may be related: https://rails.lighthouseapp.com/projects/8994/tickets/2200-session-support-broken.