The error flash message on session expiration is not in the language of the user but of the user of the previous request
|Assignee:||Jean-Philippe Lang||% Done:|
One of our customers at Planio noticed that after an expired session, the notification message is displayed in a wrong language. The i18n gem saves the current locale in
Thread.current[:i18n_config], which on some app servers (i.e. most other than Webrick) is preserved between requests. That means, if the current locale is not updated for each request, the one from the previous request will be used.
session_expiration before filter in
ApplicationController does not set the locale, leading to the flash message with the expiration message to be saved to the session in the language of the previous user.
The attached patch fixes this behaviour. It sets the language defined for the user_id of the session (if present) or the default language.
This bug is probably not a grave security issue as no further information besides the language of the previous request is leaked.
#4 Updated by Holger Just almost 4 years ago
Another option would be to move the
session_expiration filter after the
user_setup. That way, we would have a proper
User.current set and could just reuse the existing logic in
set_localization. This could then look like this:
def session_expiration if session[:user_id] if session_expired? && !try_to_autologin reset_session set_localization flash[:error] = l(:error_session_expired) redirect_to signin_url else session[:atime] = Time.now.utc.to_i end end end