Greetings and thank you for providing this gem.
Snyk is reporting a vulnerability and I am hunting down gems in use in my project that have not released a version that supports Rack 3 yet. This seems to be one of them. Rails 7.1.0 also expects Rack > 3.0, it seems.

I see there was an update merged last year (#73) but it is not yet released. Is there a timeline for the next release?

This is the exact mismatch error I receive:

  In Gemfile:
    rails (~> 7.1.0, >= 7.1) was resolved to 7.1.2, which depends on
      actionpack (= 7.1.2) was resolved to 7.1.2, which depends on
        rack-session (>= 1.0.1) was resolved to 2.0.0, which depends on
          rack (>= 3.0.0)

    redis-actionpack (>= 5.3.0) was resolved to 5.3.0, which depends on
      redis-rack (>= 2.1.0, < 3) was resolved to 2.1.4, which depends on
        rack (>= 2.0.8, < 3)

I followed the instructions in the redis-rails' readme to do something like this:

# config/environments/production.rb
config.action_dispatch.rack_cache = {
  metastore:   'redis://localhost:6379/1/metastore',
  entitystore: 'redis://localhost:6379/1/entitystore'
}

however every rack cache is a pass. Debugging a bit, I found that anytime rack tries to instantiate the store (redis in our case), it won't because it doesn't seem like one of the store types they support. This error is thrown for me: https://github.com/rtomayko/rack-cache/blob/129dc7ab063c1ce9b4cfd5eb77fbd7fe36ba2aca/lib/rack/cache/storage.rb#L50

And even with redis-rails in my Gemfile and installed, the list of supported store types for Rack looks like this:

=> [:Heap,
 :HEAP,
 :MEM,
 :Disk,
 :DISK,
 :FILE,
 :MemCacheBase,
 :Dalli,
 :MemCached,
 :MEMCACHE,
 :MEMCACHED,
 :GAEStore,
 :GAECACHE,
 :GAE,
 :RAILS]

:RAILS isn't one of the type constants listed in rack-cache, so I'm guessing that's what the redis-rack gem added, but obviously it should be :REDIS instead of :RAILS or the configuration option should be rails://127... but the latter is confusing to the end user.

I'm trying to find where this constant is added so I can fix it. Any guidance here would be appreciated.

Hi there! Any plans to support it?
Thank you!

When upgrading the various redis-* gems recently, I ran into a problem where the contents of the session appears to get mangled when signing in via Devise. I've tried to narrow this down further, but I'm not familiar enough with the session internals to get to the bottom.

My best reproduction was creating a brand new Rails app. Add devise, redis, and redis-rails. Make a session_store initializer:

Rails.application.config.session_store :redis_store, key: '_my_session', signed: true, expire_after: 1.week

Make the ApplicationController be:

class ApplicationController < ActionController::Base
  protect_from_forgery with: :exception
  before_action :authenticate_user!
end

Make a root route and attempt to sign up on the website.

redis-rack: 2.1.2, redis-actionpack: 5.2.0

The authenticity token fails to match.

If you downgrade to redis-rack: 2.0.6, redis-actionpack: 5.1.0

All of the devise actions work.

I have uploaded my demo app here: https://github.com/BoboFraggins/redis-rack-error

Error caused whenever the session is accessed:

ArgumentError - wrong number of arguments (given 3, expected 2):
redis (3.2.2) lib/redis.rb:750:in setnx' () Users/jblake/.rbenv/versions/2.3.0/lib/ruby/gems/2.3.0/bundler/gems/redis-rack-83a7b7b895bb/lib/rack/session/redis.rb:39:inblock (2 levels) in generate_unique_sid'

This is what I setup:

redis_conn = proc {
  Redis.new(url: ENV.fetch('REDIS_URL'))
}

$redis = ConnectionPool.new(size: ENV.fetch('REDIS_POOL', 5), &redis_conn)
uri = URI.parse(ENV.fetch('REDIS_URL'))

Rails.application.config.session_store :redis_store, {
  servers: {
    host: uri.host,
    port: uri.port || nil,
    password: uri.password,
    namespace: 'sessions'
  },
  domain: :all,
  tld_length: 2,
  namespace: :session,
  pool: $redis
}

Looking at the source code, if I were to pass a pool_size instead, you use the Redis Factory to create the redis instance, whereas I'm using Redis.new. Maybe this is an incompatibility, I don't know, all I know is that I want to share the same ConnectionPool for my session store and sidekiq client (I think this is a good idea?)

Sidekiq.configure_client do |config|
  config.redis = $redis
end

This has the same underlying cause as #32.

If I have redis-rack installed, then gem install rake subsequently fails. This is because redis-rack erroneously lists rake as an included executable in its gemspec.

$ gem install rake
rake's executable "rake" conflicts with redis-rack
Overwrite the executable? [yN]  n
ERROR:  Error installing rake:
	"rake" from rake conflicts with installed executable from redis-rack

I'll provide a PR.

I'm not sure if this is an issue with the gem or with our usage of it, but upon updating, our application no longer allowed people to log in. I figured I can open this here in case other people see something similar.

The changes in #37 seem relevant, but I'm going to try and do a bit more digging.

I got this message every time using rake on a project that already have bundled it, no question if it is illegal or not, I've read that Bundler put that there I believe? but is it need/worth?

The `rake` executable in the `rake` gem is being loaded, but it's also present in other gems (redis-rack).
If you meant to run the executable for another gem, make sure you use a project specific binstub (`bundle binstub <gem_name>`).
If you plan to use multiple conflicting executables, generate binstubs for them and disambiguate their names.

Here is how i implemented in a sinatra application:

redis_options = {
host: hostname,
port: port,
password: password,
db: 1,
ssl: true
}

use Rack::Session::Redis, redis_server: redis_options, expire_after: 86400

But the token, it's generation is same even after the logout for a user. This seems to me a security threat. Can please help me if missing on any configuration part.

I am reluctant to bring this up but I don't even know where to begin with this issue.

My terminology is wrong, too. I guess gems are invoked by shell scripts that fire up ruby, load gems, and then invoke the gem in question. Those ruby scripts are getting trashed, being over-written with redis-rack.

So far it's happened to the rake command and the appraisal command.

#!/usr/bin/env ruby
#
# This file was generated by RubyGems.
#
# The application 'redis-rack' is installed as part of a gem, and
# this file is here to facilitate running it.
#

require 'rubygems'

version = ">= 0.a"

if ARGV.first
  str = ARGV.first
  str = str.dup.force_encoding("BINARY") if str.respond_to? :force_encoding
  if str =~ /\A_(.*)_\z/ and Gem::Version.correct?($1) then
    version = $1
    ARGV.shift
  end
end

load Gem.activate_bin_path('redis-rack', 'appraisal', version)

Here is appraisal and the end of the shim says "redis-rack". This also happened to my rake command. It keeps happening when I switch ruby versions.

Sorry about the empty looking Issue. I pressed return before entering the description.

Hello, @tubbo ! 👋

Thanks for you work on this gem 🍻

Is there any plans to release a official 2.1.4 version? Because there are codes present in master, but not released together with 2.1.3 (code made by a PR from @krzysiek1507 🤝 ):

v2.1.3...master

Thanks a lot!

Hi, I am packaging redis-rack for debian and whule running the tests, I am getting an error.
The full log is given here - http://pastebin.com/vRcnBFQr

Can you help me solve this?

I'm using redis-rack with Hanami and Hanami model.

Currently I'm storing the entire user as session[current_user] = user which returns all the user data in the array of hashes as shown below. I've left some of the data out for brevity. The problem is, that I can't parse the data below due to the following:

The time is not formatted as string: "session_start_time"=>2018-03-29 09:48:04 +0200 => I guess I can fix this when setting the time.
The comment sign: "current_user"=>#1
And the greater than and curly braces >}

What I've also noticed is that after I clear the session in the logout action like session.clear there are still references to that session as seen in the empty hashes below.

[ { 
"_csrf_token"=>"token", 
"LOCK"=>"Off", 
"session_start_time"=>2018-03-29 09:48:04 +0200, 
"__last_request_id"=>"fa7b2343a245e7d80455bd56dfe0b665", 
"__flash"=>{ 
"bb3eab2445e49b7d32b33552f3b7a1ef"=>{:success_notice=>"Login successful."}, 
"fa7b2343a245e7d80455bd56dfe0b665"=>{}
 }, 
"current_user"=>#1,
 :name=>"my_name",
 :surname=>"my_surname",
 :email=>"[email protected]" }>}, 
{}, 
{ "__flash"=>{ "0ae1af60026095a75b99902b2bb3b755"=>{:success_notice=>"Logout successful."}, "37858ee72e55d2e307e53732209cc4df"=>{} }, 
"__last_request_id"=>"37858ee72e55d2e307e53732209cc4df", 
"_csrf_token"=>"token",
 "LOCK"=>"Off" },
 {}, 
{} ]

Hi, I'm not sure that I'm testing the right thing, and perhaps I'm not understanding the correct behavior, but I don't think that this gem is setting an expiration on the keys that it stores in redis.

If I setup a simple app with the following settings:

$redis = ConnectionPool.new(size: 25, timeout: 3) do
    Redis.new(url: 'redis://localhost)
end

use Rack::Session::Redis, pool: $redis, key: 'session',
      expires_in: 3600 # 1 hour

And then issue a request:

curl -sI http://localhost:9292 | grep Set-Cookie
Set-Cookie: session=d80dcc50e63c454dc467d3cc703e84f514b790f5ef6c20bbbb7f18be2c22cce5; path=/; HttpOnly

And then ask redis what the ttl is for the associated key:

127.0.0.1:6379> ttl d80dcc50e63c454dc467d3cc703e84f514b790f5ef6c20bbbb7f18be2c22cce5
(integer) -1

There is no TTL set on the key, but I think that there should be, no? Or am I misunderstanding how the expires_in option works?

Cheers

If you check rack/session/redis.rb#L39 provide 3 arguments to Redis#setnx which it only accept 2 arguments(key & value). Why is it your including the @default_options when saving the session to redis?

Browser HAR File: debug.har.zip
Log:

api_1       | 02:36:06 app.1   | ArgumentError - wrong number of arguments (given 3, expected 2):
api_1       | 02:36:06 app.1   |   redis (3.3.3) lib/redis.rb:790:in `setnx'
api_1       | 02:36:06 app.1   |   redis-namespace (1.5.3) lib/redis/namespace.rb:435:in `call_with_namespace'
api_1       | 02:36:06 app.1   |   redis-namespace (1.5.3) lib/redis/namespace.rb:321:in `method_missing'
api_1       | 02:36:06 app.1   |   redis-rack (2.0.2) lib/rack/session/redis.rb:39:in `block (2 levels) in generate_unique_sid'
api_1       | 02:36:06 app.1   |   connection_pool (2.2.1) lib/connection_pool.rb:64:in `block (2 levels) in with'
api_1       | 02:36:06 app.1   |   connection_pool (2.2.1) lib/connection_pool.rb:63:in `handle_interrupt'
api_1       | 02:36:06 app.1   |   connection_pool (2.2.1) lib/connection_pool.rb:63:in `block in with'
api_1       | 02:36:06 app.1   |   connection_pool (2.2.1) lib/connection_pool.rb:60:in `handle_interrupt'
api_1       | 02:36:06 app.1   |   connection_pool (2.2.1) lib/connection_pool.rb:60:in `with'
api_1       | 02:36:06 app.1   |   redis-rack (2.0.2) lib/rack/session/redis.rb:88:in `with'
api_1       | 02:36:06 app.1   |   redis-rack (2.0.2) lib/rack/session/redis.rb:38:in `block in generate_unique_sid'
api_1       | 02:36:06 app.1   |   redis-rack (2.0.2) lib/rack/session/redis.rb:36:in `loop'
api_1       | 02:36:06 app.1   |   redis-rack (2.0.2) lib/rack/session/redis.rb:36:in `generate_unique_sid'
api_1       | 02:36:06 app.1   |   redis-rack (2.0.2) lib/rack/session/redis.rb:52:in `block in get_session'
api_1       | 02:36:06 app.1   |   redis-rack (2.0.2) lib/rack/session/redis.rb:75:in `with_lock'
api_1       | 02:36:06 app.1   |   redis-rack (2.0.2) lib/rack/session/redis.rb:49:in `get_session'
api_1       | 02:36:06 app.1   |   rack (2.0.3) lib/rack/session/abstract/id.rb:425:in `find_session'
api_1       | 02:36:06 app.1   |   rack (2.0.3) lib/rack/session/abstract/id.rb:280:in `load_session'
api_1       | 02:36:06 app.1   |   actionpack (5.0.6) lib/action_dispatch/middleware/session/abstract_store.rb:56:in `block in load_session'
api_1       | 02:36:06 app.1   |   actionpack (5.0.6) lib/action_dispatch/middleware/session/abstract_store.rb:64:in `stale_session_check!'
api_1       | 02:36:06 app.1   |   actionpack (5.0.6) lib/action_dispatch/middleware/session/abstract_store.rb:56:in `load_session'
api_1       | 02:36:06 app.1   |   actionpack (5.0.6) lib/action_dispatch/request/session.rb:216:in `load!'
api_1       | 02:36:06 app.1   |   actionpack (5.0.6) lib/action_dispatch/request/session.rb:208:in `load_for_read!'
api_1       | 02:36:06 app.1   |   actionpack (5.0.6) lib/action_dispatch/request/session.rb:90:in `[]'
api_1       | 02:36:06 app.1   |   warden (1.2.7) lib/warden/session_serializer.rb:31:in `fetch'
api_1       | 02:36:06 app.1   |   warden (1.2.7) lib/warden/proxy.rb:213:in `user'
api_1       | 02:36:06 app.1   |   warden (1.2.7) lib/warden/proxy.rb:145:in `authenticated?'
api_1       | 02:36:06 app.1   |   config/initializers/rack.rb:92:in `block in <main>'
api_1       | 02:36:06 app.1   |   lib/rack/rate_limit.rb:13:in `max_per_hour'
api_1       | 02:36:06 app.1   |   rack-throttle (0.5.0) lib/rack/throttle/time_window.rb:13:in `allowed?'
api_1       | 02:36:06 app.1   |   lib/rack/rate_limit.rb:7:in `call'
api_1       | 02:36:06 app.1   |   warden (1.2.7) lib/warden/manager.rb:36:in `block in call'
api_1       | 02:36:06 app.1   |   warden (1.2.7) lib/warden/manager.rb:35:in `catch'
api_1       | 02:36:06 app.1   |   warden (1.2.7) lib/warden/manager.rb:35:in `call'
api_1       | 02:36:06 app.1   |   versionist (1.6.0) lib/versionist/middleware.rb:39:in `_call'
api_1       | 02:36:06 app.1   |   versionist (1.6.0) lib/versionist/middleware.rb:17:in `call'
api_1       | 02:36:06 app.1   |   rack (2.0.3) lib/rack/etag.rb:25:in `call'
api_1       | 02:36:06 app.1   |   rack (2.0.3) lib/rack/conditional_get.rb:25:in `call'
api_1       | 02:36:06 app.1   |   rack (2.0.3) lib/rack/head.rb:12:in `call'
api_1       | 02:36:06 app.1   |   rack (2.0.3) lib/rack/session/abstract/id.rb:232:in `context'
api_1       | 02:36:06 app.1   |   rack (2.0.3) lib/rack/session/abstract/id.rb:226:in `call'
api_1       | 02:36:06 app.1   |   actionpack (5.0.6) lib/action_dispatch/middleware/cookies.rb:613:in `call'
api_1       | 02:36:06 app.1   |   activerecord (5.0.6) lib/active_record/migration.rb:553:in `call'
api_1       | 02:36:06 app.1   |   actionpack (5.0.6) lib/action_dispatch/middleware/callbacks.rb:38:in `block in call'
api_1       | 02:36:06 app.1   |   activesupport (5.0.6) lib/active_support/callbacks.rb:97:in `__run_callbacks__'
api_1       | 02:36:06 app.1   |   activesupport (5.0.6) lib/active_support/callbacks.rb:750:in `_run_call_callbacks'
api_1       | 02:36:06 app.1   |   activesupport (5.0.6) lib/active_support/callbacks.rb:90:in `run_callbacks'
api_1       | 02:36:06 app.1   |   actionpack (5.0.6) lib/action_dispatch/middleware/callbacks.rb:36:in `call'
api_1       | 02:36:06 app.1   |   actionpack (5.0.6) lib/action_dispatch/middleware/executor.rb:12:in `call'
api_1       | 02:36:06 app.1   |   actionpack (5.0.6) lib/action_dispatch/middleware/remote_ip.rb:79:in `call'
api_1       | 02:36:06 app.1   |   better_errors (2.3.0) lib/better_errors/middleware.rb:84:in `protected_app_call'
api_1       | 02:36:06 app.1   |   better_errors (2.3.0) lib/better_errors/middleware.rb:79:in `better_errors_call'
api_1       | 02:36:06 app.1   |   better_errors (2.3.0) lib/better_errors/middleware.rb:57:in `call'
api_1       | 02:36:06 app.1   |   actionpack (5.0.6) lib/action_dispatch/middleware/debug_exceptions.rb:49:in `call'
api_1       | 02:36:06 app.1   |   actionpack (5.0.6) lib/action_dispatch/middleware/show_exceptions.rb:31:in `call'
api_1       | 02:36:06 app.1   |   railties (5.0.6) lib/rails/rack/logger.rb:36:in `call_app'
api_1       | 02:36:06 app.1   |   railties (5.0.6) lib/rails/rack/logger.rb:24:in `block in call'
api_1       | 02:36:06 app.1   |   activesupport (5.0.6) lib/active_support/tagged_logging.rb:69:in `block in tagged'
api_1       | 02:36:06 app.1   |   activesupport (5.0.6) lib/active_support/tagged_logging.rb:26:in `tagged'
api_1       | 02:36:06 app.1   |   activesupport (5.0.6) lib/active_support/tagged_logging.rb:69:in `tagged'
api_1       | 02:36:06 app.1   |   railties (5.0.6) lib/rails/rack/logger.rb:24:in `call'
api_1       | 02:36:06 app.1   |   sprockets-rails (3.2.1) lib/sprockets/rails/quiet_assets.rb:13:in `call'
api_1       | 02:36:06 app.1   |   request_store (1.3.2) lib/request_store/middleware.rb:9:in `call'
api_1       | 02:36:06 app.1   |   actionpack (5.0.6) lib/action_dispatch/middleware/request_id.rb:24:in `call'
api_1       | 02:36:06 app.1   |   rack (2.0.3) lib/rack/method_override.rb:22:in `call'
api_1       | 02:36:06 app.1   |   rack (2.0.3) lib/rack/runtime.rb:22:in `call'
api_1       | 02:36:06 app.1   |   activesupport (5.0.6) lib/active_support/cache/strategy/local_cache_middleware.rb:28:in `call'
api_1       | 02:36:06 app.1   |   actionpack (5.0.6) lib/action_dispatch/middleware/executor.rb:12:in `call'
api_1       | 02:36:06 app.1   |   actionpack (5.0.6) lib/action_dispatch/middleware/static.rb:136:in `call'
api_1       | 02:36:06 app.1   |   rack (2.0.3) lib/rack/sendfile.rb:111:in `call'
api_1       | 02:36:06 app.1   |   rack-mini-profiler (0.10.5) lib/mini_profiler/profiler.rb:282:in `call'
api_1       | 02:36:06 app.1   |   rack-cors (1.0.1) lib/rack/cors.rb:93:in `call'
api_1       | 02:36:06 app.1   |   railties (5.0.6) lib/rails/engine.rb:522:in `call'
api_1       | 02:36:06 app.1   |   puma (3.10.0) lib/puma/configuration.rb:225:in `call'
api_1       | 02:36:06 app.1   |   puma (3.10.0) lib/puma/server.rb:605:in `handle_request'
api_1       | 02:36:06 app.1   |   puma (3.10.0) lib/puma/server.rb:437:in `process_client'
api_1       | 02:36:06 app.1   |   puma (3.10.0) lib/puma/server.rb:301:in `block in run'
api_1       | 02:36:06 app.1   |   puma (3.10.0) lib/puma/thread_pool.rb:120:in `block in spawn_thread'
api_1       | 02:36:06 app.1   |   logging (2.2.2) lib/logging/diagnostic_context.rb:474:in `block in create_with_logging_context'

Need help clearing up the following

1. Is this repo abandoned?
2. Is there any intended support for session expiration (TTL)?

transactional_write_session in 2.1.0+ merges stored sessions with the session being written. This means that the session can't remove keys!

Functionally, in my Rails 5.2 app, this means that the flash is never disappearing. In the course of a normal request, the flash stored in the session is consumed, and Rails, finding no further flash to store, deletes the flash key from session, but because redis-rack can't persist the session with the removed "flash" key, the flash is read from the existing store and merged into the payload written, effectively preserving it indefinitely.

Here's a simple test to illustrate the issue. Just add it into test/rack/session/redis_test.rb:

  it "doesn't persist keys that don't exist in the incoming session" do
    app = lambda do |env|
      req = Rack::Request.new(env)
      req.session[req.params["add"]] = true if req.params["add"]
      req.session.delete req.params["remove"] if req.params["remove"]
      Rack::Response.new(env["rack.session"].inspect).to_a
    end

    with_pool_management(app) do |pool|
      req = Rack::MockRequest.new(pool)
      res = req.get("/?add=foo")
      cookie = res["Set-Cookie"]
      session_id = cookie[session_match, 1]
      sid = Rack::Session::SessionId.new(session_id)

      session = pool.with { |c| c.get(sid.private_id) }
      session.must_equal("foo" => true)

      res = req.get("/?add=bar", "HTTP_COOKIE" => cookie)
      session = pool.with { |c| c.get(sid.private_id) }
      session.must_equal("foo" => true, "bar" => true)

      res = req.get("/?remove=foo", "HTTP_COOKIE" => cookie)
      session.must_equal("bar" => true) # <-- The test will fail here: the payload is {"foo" => true, "bar" => true}
    end
  end

I know I can set key prefix by adding it after db number of redis url.

Redis::Rack::Connection.new(redis_server: 'redis://localhost/0').store.set('baz', 'aaaa')
# => key is "baz"
Redis::Rack::Connection.new(redis_server: 'redis://localhost/0/foobar').store.set('baz', 'aaaa')
# => key is "foobar:baz"

But it is not a valid redis url in https://www.iana.org/assignments/uri-schemes/prov/redis .
(There is no leading string after db-number in url path)

I find why key prefix works by reading your source:

Redis::Rack::Connection gives only redis_server value option to Redis::Store::Factory.
https://github.com/redis-store/redis-rack/blob/v2.1.3/lib/redis/rack/connection.rb#L34-L36

redis-store/redis-store parses given url, use namespace as key prefix.
https://github.com/redis-store/redis-store/blob/v1.9.0/lib/redis/store/factory.rb#L72-L84

Is it a valid specification of redis-store, which keeping in future version?
Otherwise, can you give a namespace (or key prefix) option to carry it to redis-store?

Unexpected error while processing request: undefined method `private_id' for #<String:0x0000557f81ac6150>
 Did you mean?  private_methods
/usr/local/bundle/gems/redis-rack-2.1.3/lib/rack/session/redis.rb:49:in `block (2 levels) in write_session'

rack (2.2.3), redis-rack 2.1.3, redis-store 1.9.0, sinatra 2.1.0

Any ideas why that method is failing?

Can we get a new gem version published including #11 ?

The passed in options is a ActionDispatch::Request::Session::Options which does not have #key?

This will make it show up on rubygems.org. I'm doing due diligence on our gems and need to find out the licenses for all the gems. Having it show up on rubygems.org cuts out the step of having to go to the github repo.

There are no instructions for how to configure the connection parameters in the Readme.

They are also not in the parent project, but the parent project Readme says that they should be in the child projects.

Hi,

I'm affected by #1 (no way to pass configuration options) but it's still not released.

Could you publish a new release?

Regards

https://github.com/redis-store/redis-rack/blob/master/lib/rack/session/redis.rb#L76

rescues for Errno::ECONNREFUSED
however the redis gem raises:
::Redis::CannotConnectError and if you catch this there is another location a NotMethodError is thrown on set_session. Would a pull request to add an option to raise or suppress errors similar to redis-activesupport gem be useful?

I've monkey-patched our application so if redis is not available the public facing application still renders but you cannot log in. If you think this is useful I can submit a pull request.

I was developing a Rails app that switches the session store to redis and accidentally set expire_after: nil. I found a strange behavior with that setting and I'd like to report it.

• redis-rack stores session keys in cookies and session values in redis.
• expire_after: nil setting makes lifetime mismatch
  • Session key is saved as "session cookie" (expires when browser session ends)
  • Session value is saved in redis without ttl

With expire_after: nil setting, client's session key is sometime expired, but session value is not expired.
So the redis will accumulate more and more non-volatile keys.

Of course, I am aware that using the redis session store with expire_after: nil is not a good idea. However, the current behavior is confused for me.

Reproduction

I checked with the following code.

require "bundler/inline"

gemfile do
  source "https://rubygems.org"
  gem "sinatra", "2.2.0"
  gem "webrick", "1.7.0"
  gem "redis-rack", "2.1.4"
end

require "sinatra/base"
require "redis-rack"

enable :sessions
set :session_store, Rack::Session::Redis, expire_after: nil

get "/" do
  session[:data] = "hello"
end

Sinatra::Application.run!

Procedure

• Launch above application with ruby app.rb
• Access by browser
  • Session key is saved as "session cookie" (expires when browser session ends)
    
  • Session value is saved in redis without ttl

    127.0.0.1:6379> ttl rack:session:2::8e895f0a1d6372551dc5cc220bf5d9d2e82540710540f2c19bbf697d5f3d7e1b (integer) -1

What to do

How the expire_after: nil setting should work.

1. Match the session key deadline

• Session key is stored in session cookie
• Session values as volatile as session keys
  • However, the timing of session cookie expiration is unknown, so set an appropriate default expiration date?

Storing session with expire_after: nil in the session cookie setting is rack's default behavior.
This method seems the least confusing.

2. Match the session value expiration date

• Session key is stored in non-volatile cookie
• Session values stored as redis without ttl

There may be some confusion because the default session behavior of rack.
However, it may be consistent within redis-rack.

3. Nothing to do

As I described earlier, I think it is a confusing and not happy behavior.

After doing a single web request I see

redis 127.0.0.1:6379> keys *
1) "b222a5953b43e7794b729c81901142a784514a2427c0b9eda48ef8c439d38fdc"
2) "e1e5e0c094c35ed8ca9bb24029cf7da96cb3616b0828a805e00afb36800de687"

I want a namespace for session keys so they dont polute top level

Rack::Session::Redis#generate_unique_sid is a method that generates new unique session key that it does not conflict with an existing session key.

But it seems does not work well after #37 PR.

• Rack::Session::Redis#generate_unique_sid skip generating unique session key logic when session.empty?.
  • https://github.com/redis-store/redis-rack/blob/v2.1.4/lib/rack/session/redis.rb#L23
• But generate_unique_sid's argument session is always empty hash.
  • https://github.com/redis-store/redis-rack/blob/v2.1.4/lib/rack/session/redis.rb#L39-L40
• So Rack::Session::Redis#generate_unique_sid's unique session key generation logic does not work.

Reproduction

I checked with the following code, which is prone to session key collisions.

require "bundler/inline"

gemfile do
  source "https://rubygems.org"
  gem "sinatra", "2.2.0"
  gem "webrick", "1.7.0"
  gem "redis-rack", "2.1.4"
end

require "sinatra"
require "redis-rack"

# Returns a counted-up value for each invocation since the process was started
class Countup
  def self.hex(len)
    @count ||= 0
    @count += 1
    sprintf("%0#{len}d", @count)
  end
end

enable :sessions
set :sessions, secure_random: Countup
set :session_store, Rack::Session::Redis

get "/" do
  session[:access] ||= 0
  session[:access] += 1
  "sid: #{session.id}, access: #{session[:access]}"
end

Sinatra::Application.run!

Procedure

• Launch above application with ruby app.rb
• Access by browser (sid: 00000000000000000000000000000001)
  • session[:access] increases with each access.
• Kill ruby app.rb application and relaunch.
• Access by secret browser (sid: 00000000000000000000000000000001)
  • session[:access] is initialized.
  • session is shared with first browser and secret browser.

The above situation occurs even with correct random number generation logic, although the collisions are fewer.

How to fix

Revert #37 is easy way, maybe.
If you want to avoid that, it would require a more complicated modification.

What did you do?

Done nothing, no code or config changes done.

What did you expect to happen?

Expected to easily deploy a new image given that there is NO change set in the associated repository/code.

What actually happened?

Getting unknown errors involving below 2 main problems, thereby not enabling a normal deployment with the same code:

1. /usr/local/bundle/gems/ruby-next-core-1.0.0/lib/.rbnext/2.6/ruby-next/core/data.rb:5: warning: constant ::Data is deprecated
2. /usr/local/bundle/gems/redis-rack-3.0.0/lib/rack/session/redis.rb:8:in module:Session': uninitialized constant Rack::Session::Abstract::PersistedSecure (NameError)`

Additional context

Upon deploying the previously stable image of our code (as of 25 September 2023), the k8s pods are successfully running. But, we are stuck here because we aren't able to push new changes to our stable code as the same stable code only is now NOT able to provide a stable service upon trying out a fresh deployment.
Below is the error that we are getting, causing the associated K8s service pod in CrashLoopBackOff state:

Adding the same error in text form below:
/usr/local/bundle/gems/ruby-next-core-1.0.0/lib/.rbnext/2.6/ruby-next/core/data.rb:5: warning: constant ::Data is deprecated /usr/local/bundle/gems/ruby-next-core-1.0.0/lib/.rbnext/2.6/ruby-next/core/data.rb:5: warning: constant ::Data is deprecated /usr/local/bundle/gems/ruby-next-core-1.0.0/lib/.rbnext/2.6/ruby-next/core/data.rb:5: warning: constant ::Data is deprecated /usr/local/bundle/gems/redis-rack-3.0.0/lib/rack/session/redis.rb:8:inmodule:Session': uninitialized constant Rack::Session::Abstract::PersistedSecure (NameError)
Did you mean? Rack::Session::Abstract::Persisted
from /usr/local/bundle/gems/redis-rack-3.0.0/lib/rack/session/redis.rb:7:in <module:Rack>' from /usr/local/bundle/gems/redis-rack-3.0.0/lib/rack/session/redis.rb:6:in <top (required)>'
from /usr/local/bundle/gems/redis-rack-3.0.0/lib/redis-rack.rb:3:in require' from /usr/local/bundle/gems/redis-rack-3.0.0/lib/redis-rack.rb:3:in <top (required)>'
from /usr/local/bundle/gems/redis-actionpack-5.4.0/lib/action_dispatch/middleware/session/redis_store.rb:4:in require' from /usr/local/bundle/gems/redis-actionpack-5.4.0/lib/action_dispatch/middleware/session/redis_store.rb:4:in <top (required)>'
from /usr/local/bundle/gems/redis-actionpack-5.4.0/lib/redis-actionpack.rb:4:in require' from /usr/local/bundle/gems/redis-actionpack-5.4.0/lib/redis-actionpack.rb:4:in <top (required)>'
from /usr/local/bundle/gems/redis-rails-5.0.2/lib/redis-rails.rb:4:in require' from /usr/local/bundle/gems/redis-rails-5.0.2/lib/redis-rails.rb:4:in <top (required)>'
from /usr/local/lib/ruby/site_ruby/2.5.0/bundler/runtime.rb:81:in require' from /usr/local/lib/ruby/site_ruby/2.5.0/bundler/runtime.rb:81:in block (2 levels) in require'
from /usr/local/lib/ruby/site_ruby/2.5.0/bundler/runtime.rb:76:in each' from /usr/local/lib/ruby/site_ruby/2.5.0/bundler/runtime.rb:76:in block in require'
from /usr/local/lib/ruby/site_ruby/2.5.0/bundler/runtime.rb:65:in each' from /usr/local/lib/ruby/site_ruby/2.5.0/bundler/runtime.rb:65:in require'
from /usr/local/lib/ruby/site_ruby/2.5.0/bundler.rb:114:in require' from /src/config/application.rb:7:in <top (required)>'
from /src/config/environment.rb:2:in require_relative' from /src/config/environment.rb:2:in <top (required)>'
from config.ru:3:in require_relative' from config.ru:3:in block in

Environment

Ruby version: 2.5.3

Ruby Next version: Unknown because we aren't directly using it via the Gemfile. It seems some other library is indirectly using it so we can't confirm the version.

Parser version: Unknown because we aren't directly using it via the Gemfile.

Unparser version: Unknown because we aren't directly using it via the Gemfile.

see
https://rubygems.org/gems/redis-rack

Fetching gem metadata from https://rubygems.org/......
Could not find redis-rack-2.1.1 in any of the sources

can you add something to the readme about how to configure this? i want to change the session store to point to a redis box on another machine. how do i do that?

With redis-rack 2.1.3, I got this error.

     NoMethodError:
       undefined method `public_id' for "b2df46eb3fa3bdfc657fd814bc668114":String
       Did you mean?  public_send
     # /usr/local/bundle/gems/redis-rack-2.1.3/lib/rack/session/redis.rb:57:in `block (2 levels) in delete_session'
     # /usr/local/bundle/gems/redis-rack-2.1.3/lib/redis/rack/connection.rb:22:in `with'
     # /usr/local/bundle/gems/redis-rack-2.1.3/lib/rack/session/redis.rb:82:in `with'
     # /usr/local/bundle/gems/redis-rack-2.1.3/lib/rack/session/redis.rb:56:in `block in delete_session'
     # /usr/local/bundle/gems/redis-rack-2.1.3/lib/rack/session/redis.rb:70:in `with_lock'
     # /usr/local/bundle/gems/redis-rack-2.1.3/lib/rack/session/redis.rb:55:in `delete_session'
     # /usr/local/bundle/gems/rack-2.2.3/lib/rack/session/abstract/id.rb:379:in `commit_session'

commit_session in rack calls delete_session which is overridden by rack-redis, however, a string is passed for the second argument when the method is called.
https://github.com/rack/rack/blob/2-2-stable/lib/rack/session/abstract/id.rb#L378

This change might be related.
https://github.com/redis-store/redis-rack/pull/50/files#diff-c50b22f679eb8e97b8f1dcda1da50f4bR57-R58

Any workaround?

I'm getting:

Bundler could not find compatible versions for gem "rack":
  In Gemfile:
    rails (~> 4.1.0) ruby depends on
      actionpack (= 4.1.0) ruby depends on
        rack (~> 1.5.2) ruby

    redis-rails (>= 0) ruby depends on
      redis-actionpack (~> 4) ruby depends on
        redis-rack (~> 1.5.0) ruby depends on
          rack (1.5.0)

Updating the gem dependency to "~> 1.5.0" should be fine.

Hi,
Thank you for your great work.
redis-store is now 1.4.0, but redis-rack/redis-actionpack/redis-activesupport still requires 1.3.0, when will these gems be released?

Thanks.

In redis-store/redis-actionpack#22, an issue occurred in an unrelated gem because the ActionDispatch::Session::RedisStore class is not inheriting from AbstractStore, but still mixing in all of its functionality. To allow the redis session store to become identified as a canonical session store, move the functionality from Rack::Session::Redis into modules, and include those modules into the former base class. This will allow ActionDispatch::Session::RedisStore to inherit from ActionDispatch::Session::AbstractStore and preserve the functionality from Rack::Session::Redis.

I've implemented the redis rack with azure redis. The expectation was the session token will be invalid once the user is logout since the session is stored in the redis. But that didn't happen. I'm still able to use the session token in the postman request even after logout and getting the correct response.

Please let me know if i miss anything

Using the Redis gem > 4.2, we can't write anything to the session using redis-rack and a redis session.

Below is a repo-script. Using with 4.1.4 works fine; with 4.2 it throws an exception:

/.rbenv/versions/2.7.1/lib/ruby/gems/2.7.0/gems/redis-4.2.1/lib/redis.rb:836: warning: The called method `set' is defined here
ArgumentError: unknown keywords: :path, :domain, :expire_after, :secure, :httponly, :defer, :renew, :sidbits, :secure_random, :redis_server
	/.rbenv/versions/2.7.1/lib/ruby/gems/2.7.0/gems/redis-4.2.1/lib/redis.rb:836:in `set'
	/.rbenv/versions/2.7.1/lib/ruby/gems/2.7.0/gems/redis-store-1.8.2/lib/redis/store/interface.rb:9:in `set'
	/.rbenv/versions/2.7.1/lib/ruby/gems/2.7.0/gems/redis-store-1.8.2/lib/redis/store/ttl.rb:8:in `set'

As far as I can tell, this is because of the change under this commit to the redis gem that removed the options in favour of explicit keyword arguments.

We can fix our version of redis to 4.1.4 to get around this for now, but this does appear to be something that redis-store will need fixing for too.

#!/usr/bin/env ruby

require 'bundler/inline'

REDIS_VERSION = "4.1.4"
# REDIS_VERSION = "4.2.1" # boom

gemfile do
  source 'https://rubygems.org'
  ruby '2.7.1'

  gem "rack"
  gem "redis", REDIS_VERSION
  gem "redis-rack"
end

class Sesh
  def call(env)
    env['rack.session']['id'] = 1
    [200, {}, ["Using #{REDIS_VERSION}"]]
  end
end

handler = Rack::Builder.new do
  use Rack::Session::Redis
  run Sesh.new
end

run handler

The use of Rack:Session::Abstract::ID is deprecated and should be replaced with Rack::Session::Abstract::Persisted.

See: rack/rack@4224c02

Would be great if this could be updated in a new release to ensure compatibility with newer versions of Rack.

I'm getting an NoMethodError - undefined method `private_id' in version 2.1.2. My application is working with version 2.0.6 - no other changes.

This matches the error referenced by @Looooong in #50 (comment)

Gems:

• rack (2.2.2)
• sinatra (2.0.8.1)
• redis (4.1.3)
• redis-rack (2.1.2)
• redis-store (1.8.2)
• hiredis (0.6.3)

Backtrace:

/ruby/2.6.5/gems/redis-rack-2.1.2/lib/rack/session/redis.rb in block (2 levels) in write_session
with { |c| c.set sid.private_id, new_session, options }
/ruby/2.6.5/gems/redis-rack-2.1.2/lib/redis/rack/connection.rb in with
block.call(store)
/ruby/2.6.5/gems/redis-rack-2.1.2/lib/rack/session/redis.rb in with
@conn.with(&block)
/ruby/2.6.5/gems/redis-rack-2.1.2/lib/rack/session/redis.rb in block in write_session
with { |c| c.set sid.private_id, new_session, options }
/ruby/2.6.5/gems/redis-rack-2.1.2/lib/rack/session/redis.rb in with_lock
yield
/ruby/2.6.5/gems/redis-rack-2.1.2/lib/rack/session/redis.rb in write_session
with_lock(req, false) do
/ruby/2.6.5/gems/rack-2.2.2/lib/rack/session/abstract/id.rb in commit_session
if not data = write_session(req, session_id, session_data, options)
/ruby/2.6.5/gems/rack-2.2.2/lib/rack/session/abstract/id.rb in context
commit_session(req, res)
/ruby/2.6.5/gems/rack-2.2.2/lib/rack/session/abstract/id.rb in call
context(env)
/ruby/2.6.5/gems/rack-protection-2.0.8.1/lib/rack/protection/xss_header.rb in call
status, headers, body = @app.call(env)
/ruby/2.6.5/gems/rack-protection-2.0.8.1/lib/rack/protection/path_traversal.rb in call
app.call env
/ruby/2.6.5/gems/rack-protection-2.0.8.1/lib/rack/protection/json_csrf.rb in call
status, headers, body = app.call(env)
/ruby/2.6.5/gems/rack-protection-2.0.8.1/lib/rack/protection/base.rb in call
result or app.call(env)
/ruby/2.6.5/gems/rack-protection-2.0.8.1/lib/rack/protection/base.rb in call
result or app.call(env)
/ruby/2.6.5/gems/rack-protection-2.0.8.1/lib/rack/protection/frame_options.rb in call
status, headers, body = @app.call(env)
/ruby/2.6.5/gems/rack-2.2.2/lib/rack/logger.rb in call
@app.call(env)
/ruby/2.6.5/gems/rack-2.2.2/lib/rack/common_logger.rb in call
status, headers, body = @app.call(env)
/ruby/2.6.5/gems/sinatra-2.0.8.1/lib/sinatra/base.rb in call
call_without_check(env)
/ruby/2.6.5/gems/sinatra-2.0.8.1/lib/sinatra/base.rb in call
env['sinatra.commonlogger'] ? @app.call(env) : super
/ruby/2.6.5/gems/rack-2.2.2/lib/rack/head.rb in call
status, headers, body = @app.call(env)
/ruby/2.6.5/gems/rack-2.2.2/lib/rack/method_override.rb in call
@app.call(env)
/ruby/2.6.5/gems/sinatra-2.0.8.1/lib/sinatra/show_exceptions.rb in call
@app.call(env)
/ruby/2.6.5/gems/sinatra-2.0.8.1/lib/sinatra/base.rb in call
result, callback = app.call(env), env['async.callback']
/ruby/2.6.5/gems/sinatra-2.0.8.1/lib/sinatra/base.rb in call
@stack.call(env)
/ruby/2.6.5/gems/sinatra-2.0.8.1/lib/sinatra/base.rb in block in call
synchronize { prototype.call(env) }
/ruby/2.6.5/gems/sinatra-2.0.8.1/lib/sinatra/base.rb in synchronize
yield
/ruby/2.6.5/gems/sinatra-2.0.8.1/lib/sinatra/base.rb in call
synchronize { prototype.call(env) }
/ruby/2.6.5/gems/puma-4.3.3/lib/puma/configuration.rb in call
@app.call(env)
/ruby/2.6.5/gems/puma-4.3.3/lib/puma/server.rb in handle_request
status, headers, res_body = @app.call(env)
/ruby/2.6.5/gems/puma-4.3.3/lib/puma/server.rb in process_client
case handle_request(client, buffer)
/ruby/2.6.5/gems/puma-4.3.3/lib/puma/server.rb in block in run
process_client client, buffer
/ruby/2.6.5/gems/puma-4.3.3/lib/puma/thread_pool.rb in block in spawn_thread
block.call(work, *extra)

Greetings, I'm trying to setup a redis session store on Heroku, but want to specify the ssl_params option in connecting to Redis. I'm able to make a connection with a regular redis:// connection but not with rediss://.

The following works with a plain Redis gem connection:

redis = Redis.new(
  url: @config.REDIS_TLS_URL,
  ssl_params: { verify_mode: OpenSSL::SSL::VERIFY_NONE }
)

I wished to do something similar with redis-rack:

use Rack::Session::Redis,
          expire_after: ONE_MONTH,
          redis_server: config.REDIS_TLS_URL,
          ssl_params: { verify_mode: OpenSSL::SSL::VERIFY_NONE }

However, the connection is failing and suggests that the ssl_params is not being found:

OpenSSL::SSL::SSLError: SSL_connect returned=1 errno=0 state=error: certificate verify failed (self signed certificate in certificate chain)
	/Users/soumyaray/.rbenv/versions/3.0.1/lib/ruby/gems/3.0.0/gems/redis-4.2.5/lib/redis/connection/ruby.rb:260:in `connect_nonblock'

# rest of traceback removed

Hello @tubbo

if you could release 1.6.1 with this small fix

venuenext@5924cbe

this is all I need to use redis-activesupport 5.0.2 and all the redis-* 5.x on a rails 4.2 app

this is what I am using now

gem 'redis', '~> 3.1.0'
gem 'redis-store', '~> 1.3.0'
gem 'redis-activesupport', '~> 5.0.2'
gem 'redis-actionpack', '~> 5.0.1'
gem 'redis-namespace'
gem 'redis-rails', '~> 5.0.2'
gem 'redis-rack', github: 'venuenext/redis-rack', branch: '1.6.x'
gem 'redis-rack-cache'

thanks