Reputation: 8715
Why Rails change Set-Cookie header every request for the same session
I'm using Rails 4 with cookie based session store, found that Rails 4 will give me a different cookie every time I refresh the page, but it can still identify me.
Compare it to another rack app which uses Rack::Session::Cookie, it will only send Set-Cookie for the first request, until some changes to session data were made.
Why are they designed differently? Is there any reason behind?
Upvotes: 7
Views: 3894
Answers (2)
Reputation: 31
Rails cookie_store default use the EncryptedKeyRotatingCookieJar, and generate the encrypt_and_sign value. That value use MessageEncryptor#_encrypt method, which use the Random 【cipher.random_iv】. So, every time the same value will generate a different encrypt_and_sign result.
Upvotes: 3
Reputation: 30043
It's because of the way Rails handles session storage and cookie encryption:
- the default session store will try to write the session data to an encrypted cookie on any request that has accessed the session (either to read from it or write to it),
- the encrypted value changes even when the plain text value hasn't,
- the encryption happens before it reaches the code that's responsible for checking if a cookie value has changed to avoid redundant
Set-Cookieheaders.
I go into much more detail in answering this question: Why is rails constantly sending back a Set-Cookie header?
Upvotes: 4
Related Questions
- Why is rails constantly sending back a Set-Cookie header?
- Why session does not be duplicated in rails
- Weird behavior with session cookies
- rails session steal through cookies
- Rails Cookie Setting Problems
- Cookie is changed on every request, using sinatra and Rack::Session::EncryptedCookie
- session cookie httponly false rails 3.1
- Stop Rack session setting a cookie for all pages
- Prevent Ruby on Rails from sending the session header
- Rails cookie being set, session variable in cookie readable, session not readable