Session can get lost after a Devise sign in

[BoboFraggins]

When upgrading the various redis-* gems recently, I ran into a problem where the contents of the session appears to get mangled when signing in via Devise. I've tried to narrow this down further, but I'm not familiar enough with the session internals to get to the bottom.

My best reproduction was creating a brand new Rails app. Add devise, redis, and redis-rails. Make a session_store initializer:

Rails.application.config.session_store :redis_store, key: '_my_session', signed: true, expire_after: 1.week

Make the ApplicationController be:

class ApplicationController < ActionController::Base
  protect_from_forgery with: :exception
  before_action :authenticate_user!
end

Make a root route and attempt to sign up on the website.

redis-rack: 2.1.2, redis-actionpack: 5.2.0

The authenticity token fails to match.

If you downgrade to redis-rack: 2.0.6, redis-actionpack: 5.1.0

All of the devise actions work.

I have uploaded my demo app here: https://github.com/BoboFraggins/redis-rack-error

[tubbo]

thanks for the demo app, I'll check it out.

[tubbo]

Removing signed: true seemed to fix the problem. I'm looking into why that might be. But if that's acceptable to you, it's a quick workaround for now.

[BoboFraggins]

We're not blocked; I just wanted you to know about it.

[tubbo]

Thanks @BoboFraggins, I'm gonna start investigating why this occurred. Think it might have to do with some changes made to redis-store recently.

[kazk]

I'm having the same issue.
@tubbo Have you found anything in redis-store? I'd like to help, but I'm not even sure what to look for.

[tubbo]

Haven't had a chance to get around to this. Pull requests welcome :)

[kazk]

@tubbo I think I found the cause and a fix. At least, it fixes the demo app.

I wasn't familiar with the codebase, so I started by stepping through with byebug. Then I noticed find_session and write_session from Rack::Session::Redis are receiving different sid when signed is true because the encrypted/signed value is passed to find_session.

After reading some code in rack, I found that extract_session_id can be overridden in ActionDispatch::Session::RedisStore to fix this.

I'll open a PR soon.