Defect #17023
closed
The error flash message on session expiration is not in the language of the user but of the user of the previous request
Added by Holger Just almost 11 years ago.
Updated about 10 years ago.
Description
One of our customers at Planio noticed that after an expired session, the notification message is displayed in a wrong language. The i18n gem saves the current locale in Thread.current[:i18n_config], which on some app servers (i.e. most other than Webrick) is preserved between requests. That means, if the current locale is not updated for each request, the one from the previous request will be used.
Currently, the session_expiration before filter in ApplicationController does not set the locale, leading to the flash message with the expiration message to be saved to the session in the language of the previous user.
The attached patch fixes this behaviour. It sets the language defined for the user_id of the session (if present) or the default language.
This bug is probably not a grave security issue as no further information besides the language of the previous request is leaked.
Files
- Category changed from Text formatting to I18n
- Target version set to Candidate for next minor release
- Target version changed from Candidate for next minor release to 2.6.0
- Target version changed from 2.6.0 to 2.5.3
Since it's a simply fixed issue.
I'm not fond of the assignment inside the if test, though.
Another option would be to move the session_expiration filter after the user_setup. That way, we would have a proper User.current set and could just reuse the existing logic in set_localization. This could then look like this:
def session_expiration
if session[:user_id]
if session_expired? && !try_to_autologin
reset_session
set_localization
flash[:error] = l(:error_session_expired)
redirect_to signin_url
else
session[:atime] = Time.now.utc.to_i
end
end
end
user_setup requires session, but why not simply call set_localization when session is expired?
Because set_localization uses User.current to find the language selected in the user's preferences, however User.current is only set by user_setup. As such, we can run set_localozation only after user_setup.
- Status changed from New to Resolved
- Assignee set to Jean-Philippe Lang
- Resolution set to Fixed
- Status changed from Resolved to Closed
- Target version changed from 2.5.3 to 2.6.0
- Has duplicate Defect #18747: Automatic log out error message is in another language. added
Removed to start a new ticket, sorry for the noise.
Also available in: Atom
PDF
Updated by 
Updated by Toshi MARUYAMA 
Updated by 
Updated by 
Updated by 
Updated by