Loading rails sessions manually

On my current project, we wanted to write some code to load a specific
user’s session data (not the current user). This turned out to be a
little trickier than we thought.

We use active_record_store for our sessions, so session data is stored
in a sessions table in the database. In theory, we should be able to
read the session with code like:

>> CGI::Session::ActiveRecordStore::Session.find_by_id(1).data
ArgumentError: undefined class/module Foo
        from /usr/lib/ruby/gems/1.8/gems/actionpack-2.0.2/lib/action_controller/session/active_record_store.rb:84:in `load'
        from /usr/lib/ruby/gems/1.8/gems/actionpack-2.0.2/lib/action_controller/session/active_record_store.rb:84:in `unmarshal'
        from /usr/lib/ruby/gems/1.8/gems/actionpack-2.0.2/lib/action_controller/session/active_record_store.rb:122:in `data'
        from (irb):1

Unfortunately, if the session contains any custom classes, this code
will fail. Behind the scenes, session data is stored as a Base64
encoded, Marshal dumped string. If there are classes in the dump that
ruby does not know about yet, the Marshal.load will fail.

If we manually load the class, it will work:

>> Foo
=> Foo
>> CGI::Session::ActiveRecordStore::Session.find_by_id(1).data
=> {:foo=>#, "flash"=>{}}

Our sessions contain a bunch of custom classes, and we did not want to
manually load them. Since we knew rails handled this properly, we dug
into the depths of rails and found this code in
(Rails 2.0.2):

def stale_session_check!
rescue ArgumentError => argument_error
  if argument_error.message =~ %r{undefined class/module ([\w:]*\w)}
      # Note that the regexp does not allow $1 to end with a ':'
    rescue LoadError, NameError => const_error
      raise ActionController::SessionRestoreError, <<-end_msg
Session contains objects whose class definition isn\'t available.
Remember to require the classes for all objects kept in the session.
(Original exception: #{const_error.message} [#{const_error.class}])


This code assumes you pass in a block which loads the session. If an
error is raised trying to load a class, it calls constantize on the
class name, which forces rails to find and load the class. It does this
repeatedly until all load errors have been resolved.

We can use this method now to load our session:

>> ActionController::CgiRequest.new(CGI.new).instance_eval do
?>   stale_session_check! do
?>     CGI::Session::ActiveRecordStore::Session.find_by_id(1).data
>>   end
>> end
=> {:foo=>#, "flash"=>{}}

This is not the prettiest code, but it allows us to get at the logic
rails uses to load sessions.

Paul Gross

Paul Gross

I'm a lead software developer in Seattle working for Braintree Payments.

Read More