Fixed that an ArgumentError is thrown when request.session_options[:id] is read in the following scenario: when the cookie store is used, and the session contains a serialized object of an unloaded class, and no session data accesses have occurred yet. Pushed the stale_session_check responsibility out of the SessionHash and down into the session store, closer to where the deserialization actually occurs. Added some test coverage for this case and others related to deserialization of unloaded types.

[#4938]

Signed-off-by: José Valim <jose.valim@gmail.com>

2 files changed, 38 insertions, 36 deletions

diff --git a/actionpack/lib/action_dispatch/middleware/session/abstract_store.rb b/actionpack/lib/action_dispatch/middleware/session/abstract_store.rb
index bc1d6fab83..08bc80dbc2 100644
--- a/actionpack/lib/action_dispatch/middleware/session/abstract_store.rb
+++ b/actionpack/lib/action_dispatch/middleware/session/abstract_store.rb
@@ -88,9 +88,7 @@ module ActionDispatch
 
         def exists?
           return @exists if instance_variable_defined?(:@exists)
-          stale_session_check! do
-            @exists = @by.send(:exists?, @env)
-          end
+          @exists = @by.send(:exists?, @env)
         end
 
         def loaded?
@@ -115,29 +113,12 @@ module ActionDispatch
           end
 
           def load!
-            stale_session_check! do
-              id, session = @by.send(:load_session, @env)
-              @env[ENV_SESSION_OPTIONS_KEY][:id] = id
-              replace(session.stringify_keys)
-              @loaded = true
-            end
+            id, session = @by.send(:load_session, @env)
+            @env[ENV_SESSION_OPTIONS_KEY][:id] = id
+            replace(session.stringify_keys)
+            @loaded = true
           end
 
-          def stale_session_check!
-            yield
-          rescue ArgumentError => argument_error
-            if argument_error.message =~ %r{undefined class/module ([\w:]*\w)}
-              begin
-                # Note that the regexp does not allow $1 to end with a ':'
-                $1.constantize
-              rescue LoadError, NameError => const_error
-                raise ActionDispatch::Session::SessionRestoreError, "Session contains objects whose class definition isn't available.\nRemember to require the classes for all objects kept in the session.\n(Original exception: #{const_error.message} [#{const_error.class}])\n"
-              end
-              retry
-            else
-              raise
-            end
-          end
       end
 
       DEFAULT_OPTIONS = {
@@ -204,16 +185,20 @@ module ActionDispatch
         end
 
         def load_session(env)
-          sid = current_session_id(env)
-          sid, session = get_session(env, sid)
-          [sid, session]
+          stale_session_check! do
+            sid = current_session_id(env)
+            sid, session = get_session(env, sid)
+            [sid, session]
+          end
         end
 
         def extract_session_id(env)
-          request = ActionDispatch::Request.new(env)
-          sid = request.cookies[@key]
-          sid ||= request.params[@key] unless @cookie_only
-          sid
+          stale_session_check! do
+            request = ActionDispatch::Request.new(env)
+            sid = request.cookies[@key]
+            sid ||= request.params[@key] unless @cookie_only
+            sid
+          end
         end
 
         def current_session_id(env)
@@ -229,6 +214,22 @@ module ActionDispatch
           end
         end
 
+        def stale_session_check!
+          yield
+        rescue ArgumentError => argument_error
+          if argument_error.message =~ %r{undefined class/module ([\w:]*\w)}
+            begin
+              # Note that the regexp does not allow $1 to end with a ':'
+              $1.constantize
+            rescue LoadError, NameError => const_error
+              raise ActionDispatch::Session::SessionRestoreError, "Session contains objects whose class definition isn't available.\nRemember to require the classes for all objects kept in the session.\n(Original exception: #{const_error.message} [#{const_error.class}])\n"
+            end
+            retry
+          else
+            raise
+          end
+        end
+
         def exists?(env)
           current_session_id(env).present?
         end
@@ -245,7 +246,6 @@ module ActionDispatch
         def destroy(env)
           raise '#destroy needs to be implemented.'
         end
-
     end
   end
 end
diff --git a/actionpack/lib/action_dispatch/middleware/session/cookie_store.rb b/actionpack/lib/action_dispatch/middleware/session/cookie_store.rb
index 7ebd532f4a..dce47c63bc 100644
--- a/actionpack/lib/action_dispatch/middleware/session/cookie_store.rb
+++ b/actionpack/lib/action_dispatch/middleware/session/cookie_store.rb
@@ -63,11 +63,13 @@ module ActionDispatch
 
         def unpacked_cookie_data(env)
           env["action_dispatch.request.unsigned_session_cookie"] ||= begin
-            request = ActionDispatch::Request.new(env)
-            if data = request.cookie_jar.signed[@key]
-              data.stringify_keys!
+            stale_session_check! do
+              request = ActionDispatch::Request.new(env)
+              if data = request.cookie_jar.signed[@key]
+                data.stringify_keys!
+              end
+              data || {}
             end
-            data || {}
           end
         end