REDIS + DEVISE

[luispimenta]

What could the redis interfere with the devise session? Because today I went up in production to monitor, and I have about 200 customers that use the system, burst with everyone's session, one user see data from another user, who has no relationship, what he implied was that he changed the session without no reason. I almost had a heart attack, and I had to remove the gem :(

[igorkasyanchuk]

What was the configuration of rails_performance in an initializer? And how is configured your session? Stored in the Redis?

[igorkasyanchuk]

You can search in the code and see https://github.com/igorkasyanchuk/rails_performance/search?q=session&unscoped_q=session that gem is not doing anything with the session.

[igorkasyanchuk]

And I think Redis works in a separate space: https://github.com/igorkasyanchuk/rails_performance/blob/a8ba6db1cf8b0d35b38c256961d9e4480634eaf8/lib/rails_performance.rb#L26

[luispimenta]

initializers/rails_performance.rb

RailsPerformance.setup do |config|
  config.redis    = Redis::Namespace.new("#{Rails.env}-rails-performance", redis: Redis.new)
  config.duration = 4.hours

  config.debug    = false # currently not used>
  config.enabled  = true

  # protect your Performance Dashboard with HTTP BASIC password
  config.http_basic_authentication_enabled   = true
  config.http_basic_authentication_user_name = 'rails_performance'
  config.http_basic_authentication_password  = 'pass'

  # if you need an additional rules to check user permissions
  config.verify_access_proc = proc { |controller| true }
  # for example when you have `current_user`
  # config.verify_access_proc = proc { |controller| controller.current_user && controller.current_user.admin? }
end if defined?(RailsPerformance)

[igorkasyanchuk]

what about the session? how it's configured?

[luispimenta]

I don't have any other files for the session, Devise is as standard when installing, inside devise.rb the only thing it has is config.skip_session_storage = [: http_auth]

[igorkasyanchuk]

what about config/initializers/session_store.rb

[luispimenta]

all commented

# Be sure to restart your server when you modify this file.
#Rails.application.config.session_store :cache_store, key: '_motorsw_session'

[igorkasyanchuk]

Per documentation Rails uses ActionDispatch::Session::CookieStore as the default session storage.. Plus you don't use Redis for storing sessions.

Also, you can see above no "session" in the code in the gem.

So I guess the issue might be in the code.

What was exactly the issue? One user was logged in as another user? User A saw records from user B? How records are returned? From DB? If user A was not logged as user B, how this is possible? What is the code which returns records?

[luispimenta]

Users already logged into the system. He has a relationship with a company. This company for example has the records, CARS, NOTES. The user reloaded the page, and had access to ANOTHER COMPANY, but I found it very strange because I link it to 1 x 1, it should never happen, but it happened as soon as I went up the net.

[igorkasyanchuk]

please show code from the controller, from index method I suppose. I want to see how you load records for current_user

[igorkasyanchuk]

I'm closing this issue, without clear steps to reproduce and samples I've user this gem on production on own project where devise, redis, etc exists and all was working well. Gem has 0 impact on session, because it's not using it. Plus redis store using separate namespace.