The error flash message on session expiration is not in the language of the user but of the user of the previous request
One of our customers at Planio noticed that after an expired session, the notification message is displayed in a wrong language. The i18n gem saves the current locale in
Thread.current[:i18n_config], which on some app servers (i.e. most other than Webrick) is preserved between requests. That means, if the current locale is not updated for each request, the one from the previous request will be used.
session_expiration before filter in
ApplicationController does not set the locale, leading to the flash message with the expiration message to be saved to the session in the language of the previous user.
The attached patch fixes this behaviour. It sets the language defined for the user_id of the session (if present) or the default language.
This bug is probably not a grave security issue as no further information besides the language of the previous request is leaked.