devise-jwt: Rails 7.0.1 with disabled Sessionstore ctionDispatch::Request::Session::DisabledSessionError (Your application has sessions disabled. To write to the session you must first configure a session store):

Hey,

anything i miss on the update? any hint is welcome updated from rails 6 to rails 7.01

Debugging information

c477da4b-b0fd-4a2b-8fc2-9eeb7b7726f4] ActionDispatch::Request::Session::DisabledSessionError (Your application has sessions disabled. To write to the session you must first configure a session store):
[c477da4b-b0fd-4a2b-8fc2-9eeb7b7726f4]   
[c477da4b-b0fd-4a2b-8fc2-9eeb7b7726f4] actionpack (7.0.1) lib/action_dispatch/request/session.rb:253:in `load_for_write!'
[c477da4b-b0fd-4a2b-8fc2-9eeb7b7726f4] actionpack (7.0.1) lib/action_dispatch/request/session.rb:151:in `[]='
[c477da4b-b0fd-4a2b-8fc2-9eeb7b7726f4] warden (1.2.9) lib/warden/session_serializer.rb:27:in `store'
[c477da4b-b0fd-4a2b-8fc2-9eeb7b7726f4] warden (1.2.9) lib/warden/proxy.rb:187:in `set_user'
[c477da4b-b0fd-4a2b-8fc2-9eeb7b7726f4] devise (4.8.1) lib/devise/controllers/sign_in_out.rb:53:in `sign_in'
[c477da4b-b0fd-4a2b-8fc2-9eeb7b7726f4] devise (4.8.1) app/controllers/devise/registrations_controller.rb:106:in `sign_up'
[c477da4b-b0fd-4a2b-8fc2-9eeb7b7726f4] devise (4.8.1) app/controllers/devise/registrations_controller.rb:24:in `create'
[c477da4b-b0fd-4a2b-8fc2-9eeb7b7726f4] actionpack (7.0.1) lib/action_controller/metal/basic_implicit_render.rb:6:in `send_action'
[c477da4b-b0fd-4a2b-8fc2-9eeb7b7726f4] actionpack (7.0.1) lib/abstract_controller/base.rb:214:in `process_action'
[c477da4b-b0fd-4a2b-8fc2-9eeb7b7726f4] actionpack (7.0.1) lib/action_controller/metal/rendering.rb:53:in `process_action'
[c477da4b-b0fd-4a2b-8fc2-9eeb7b7726f4] actionpack (7.0.1) lib/abstract_controller/callbacks.rb:234:in `block in process_action'
[c477da4b-b0fd-4a2b-8fc2-9eeb7b7726f4] activesupport (7.0.1) lib/active_support/callbacks.rb:118:in `block in run_callbacks'
[c477da4b-b0fd-4a2b-8fc2-9eeb7b7726f4] actiontext (7.0.1) lib/action_text/rendering.rb:20:in `with_renderer'
[c477da4b-b0fd-4a2b-8fc2-9eeb7b7726f4] actiontext (7.0.1) lib/action_text/engine.rb:69:in `block (4 levels) in <class:Engine>'
[c477da4b-b0fd-4a2b-8fc2-9eeb7b7726f4] activesupport (7.0.1) lib/active_support/callbacks.rb:127:in `instance_exec'
[c477da4b-b0fd-4a2b-8fc2-9eeb7b7726f4] activesupport (7.0.1) lib/active_support/callbacks.rb:127:in `block in run_callbacks'
[c477da4b-b0fd-4a2b-8fc2-9eeb7b7726f4] activesupport (7.0.1) lib/active_support/callbacks.rb:138:in `run_callbacks'
[c477da4b-b0fd-4a2b-8fc2-9eeb7b7726f4] actionpack (7.0.1) lib/abstract_controller/callbacks.rb:233:in `process_action'
[c477da4b-b0fd-4a2b-8fc2-9eeb7b7726f4] actionpack (7.0.1) lib/action_controller/metal/rescue.rb:22:in `process_action'
[c477da4b-b0fd-4a2b-8fc2-9eeb7b7726f4] actionpack (7.0.1) lib/action_controller/metal/instrumentation.rb:67:in `block in process_action'
[c477da4b-b0fd-4a2b-8fc2-9eeb7b7726f4] activesupport (7.0.1) lib/active_support/notifications.rb:206:in `block in instrument'
[c477da4b-b0fd-4a2b-8fc2-9eeb7b7726f4] activesupport (7.0.1) lib/active_support/notifications/instrumenter.rb:24:in `instrument'
[c477da4b-b0fd-4a2b-8fc2-9eeb7b7726f4] activesupport (7.0.1) lib/active_support/notifications.rb:206:in `instrument'
[c477da4b-b0fd-4a2b-8fc2-9eeb7b7726f4] actionpack (7.0.1) lib/action_controller/metal/instrumentation.rb:66:in `process_action'
[c477da4b-b0fd-4a2b-8fc2-9eeb7b7726f4] actionpack (7.0.1) lib/action_controller/metal/params_wrapper.rb:259:in `process_action'
[c477da4b-b0fd-4a2b-8fc2-9eeb7b7726f4] activerecord (7.0.1) lib/active_record/railties/controller_runtime.rb:27:in `process_action'
[c477da4b-b0fd-4a2b-8fc2-9eeb7b7726f4] actionpack (7.0.1) lib/abstract_controller/base.rb:151:in `process'
[c477da4b-b0fd-4a2b-8fc2-9eeb7b7726f4] actionview (7.0.1) lib/action_view/rendering.rb:39:in `process'
[c477da4b-b0fd-4a2b-8fc2-9eeb7b7726f4] actionpack (7.0.1) lib/action_controller/metal.rb:188:in `dispatch'
[c477da4b-b0fd-4a2b-8fc2-9eeb7b7726f4] actionpack (7.0.1) lib/action_controller/metal.rb:251:in `dispatch'
[c477da4b-b0fd-4a2b-8fc2-9eeb7b7726f4] actionpack (7.0.1) lib/action_dispatch/routing/route_set.rb:49:in `dispatch'
[c477da4b-b0fd-4a2b-8fc2-9eeb7b7726f4] actionpack (7.0.1) lib/action_dispatch/routing/route_set.rb:32:in `serve'
[c477da4b-b0fd-4a2b-8fc2-9eeb7b7726f4] actionpack (7.0.1) lib/action_dispatch/routing/mapper.rb:18:in `block in <class:Constraints>'
[c477da4b-b0fd-4a2b-8fc2-9eeb7b7726f4] actionpack (7.0.1) lib/action_dispatch/routing/mapper.rb:48:in `serve'
[c477da4b-b0fd-4a2b-8fc2-9eeb7b7726f4] actionpack (7.0.1) lib/action_dispatch/journey/router.rb:50:in `block in serve'
[c477da4b-b0fd-4a2b-8fc2-9eeb7b7726f4] actionpack (7.0.1) lib/action_dispatch/journey/router.rb:32:in `each'
[c477da4b-b0fd-4a2b-8fc2-9eeb7b7726f4] actionpack (7.0.1) lib/action_dispatch/journey/router.rb:32:in `serve'
[c477da4b-b0fd-4a2b-8fc2-9eeb7b7726f4] actionpack (7.0.1) lib/action_dispatch/routing/route_set.rb:850:in `call'
[c477da4b-b0fd-4a2b-8fc2-9eeb7b7726f4] warden-jwt_auth (0.6.0) lib/warden/jwt_auth/middleware/token_dispatcher.rb:20:in `call'
[c477da4b-b0fd-4a2b-8fc2-9eeb7b7726f4] warden-jwt_auth (0.6.0) lib/warden/jwt_auth/middleware/revocation_manager.rb:21:in `call'
[c477da4b-b0fd-4a2b-8fc2-9eeb7b7726f4] rack (2.2.3) lib/rack/builder.rb:244:in `call'
[c477da4b-b0fd-4a2b-8fc2-9eeb7b7726f4] warden-jwt_auth (0.6.0) lib/warden/jwt_auth/middleware.rb:22:in `call'
[c477da4b-b0fd-4a2b-8fc2-9eeb7b7726f4] warden (1.2.9) lib/warden/manager.rb:36:in `block in call'
[c477da4b-b0fd-4a2b-8fc2-9eeb7b7726f4] warden (1.2.9) lib/warden/manager.rb:34:in `catch'
[c477da4b-b0fd-4a2b-8fc2-9eeb7b7726f4] warden (1.2.9) lib/warden/manager.rb:34:in `call'
[c477da4b-b0fd-4a2b-8fc2-9eeb7b7726f4] rack (2.2.3) lib/rack/tempfile_reaper.rb:15:in `call'
[c477da4b-b0fd-4a2b-8fc2-9eeb7b7726f4] rack (2.2.3) lib/rack/etag.rb:27:in `call'
[c477da4b-b0fd-4a2b-8fc2-9eeb7b7726f4] rack (2.2.3) lib/rack/conditional_get.rb:40:in `call'
[c477da4b-b0fd-4a2b-8fc2-9eeb7b7726f4] rack (2.2.3) lib/rack/head.rb:12:in `call'
[c477da4b-b0fd-4a2b-8fc2-9eeb7b7726f4] actionpack (7.0.1) lib/action_dispatch/http/permissions_policy.rb:22:in `call'
[c477da4b-b0fd-4a2b-8fc2-9eeb7b7726f4] actionpack (7.0.1) lib/action_dispatch/http/content_security_policy.rb:18:in `call'
[c477da4b-b0fd-4a2b-8fc2-9eeb7b7726f4] actionpack (7.0.1) lib/action_dispatch/middleware/cookies.rb:693:in `call'
[c477da4b-b0fd-4a2b-8fc2-9eeb7b7726f4] actionpack (7.0.1) lib/action_dispatch/middleware/callbacks.rb:27:in `block in call'
[c477da4b-b0fd-4a2b-8fc2-9eeb7b7726f4] activesupport (7.0.1) lib/active_support/callbacks.rb:99:in `run_callbacks'
[c477da4b-b0fd-4a2b-8fc2-9eeb7b7726f4] actionpack (7.0.1) lib/action_dispatch/middleware/callbacks.rb:26:in `call'
[c477da4b-b0fd-4a2b-8fc2-9eeb7b7726f4] actionpack (7.0.1) lib/action_dispatch/middleware/debug_exceptions.rb:28:in `call'
[c477da4b-b0fd-4a2b-8fc2-9eeb7b7726f4] actionpack (7.0.1) lib/action_dispatch/middleware/show_exceptions.rb:26:in `call'
[c477da4b-b0fd-4a2b-8fc2-9eeb7b7726f4] railties (7.0.1) lib/rails/rack/logger.rb:36:in `call_app'
[c477da4b-b0fd-4a2b-8fc2-9eeb7b7726f4] railties (7.0.1) lib/rails/rack/logger.rb:25:in `block in call'
[c477da4b-b0fd-4a2b-8fc2-9eeb7b7726f4] activesupport (7.0.1) lib/active_support/tagged_logging.rb:99:in `block in tagged'
[c477da4b-b0fd-4a2b-8fc2-9eeb7b7726f4] activesupport (7.0.1) lib/active_support/tagged_logging.rb:37:in `tagged'
[c477da4b-b0fd-4a2b-8fc2-9eeb7b7726f4] activesupport (7.0.1) lib/active_support/tagged_logging.rb:99:in `tagged'
[c477da4b-b0fd-4a2b-8fc2-9eeb7b7726f4] railties (7.0.1) lib/rails/rack/logger.rb:25:in `call'
[c477da4b-b0fd-4a2b-8fc2-9eeb7b7726f4] actionpack (7.0.1) lib/action_dispatch/middleware/remote_ip.rb:93:in `call'
[c477da4b-b0fd-4a2b-8fc2-9eeb7b7726f4] actionpack (7.0.1) lib/action_dispatch/middleware/request_id.rb:26:in `call'
[c477da4b-b0fd-4a2b-8fc2-9eeb7b7726f4] rack (2.2.3) lib/rack/method_override.rb:24:in `call'
[c477da4b-b0fd-4a2b-8fc2-9eeb7b7726f4] rack (2.2.3) lib/rack/runtime.rb:22:in `call'
[c477da4b-b0fd-4a2b-8fc2-9eeb7b7726f4] actionpack (7.0.1) lib/action_dispatch/middleware/executor.rb:14:in `call'
[c477da4b-b0fd-4a2b-8fc2-9eeb7b7726f4] rack (2.2.3) lib/rack/sendfile.rb:110:in `call'
[c477da4b-b0fd-4a2b-8fc2-9eeb7b7726f4] actionpack (7.0.1) lib/action_dispatch/middleware/host_authorization.rb:137:in `call'
[c477da4b-b0fd-4a2b-8fc2-9eeb7b7726f4] rack-cors (1.1.1) lib/rack/cors.rb:100:in `call'
[c477da4b-b0fd-4a2b-8fc2-9eeb7b7726f4] railties (7.0.1) lib/rails/engine.rb:530:in `call'
[c477da4b-b0fd-4a2b-8fc2-9eeb7b7726f4] puma (5.5.2) lib/puma/configuration.rb:249:in `call'
[c477da4b-b0fd-4a2b-8fc2-9eeb7b7726f4] puma (5.5.2) lib/puma/request.rb:77:in `block in handle_request'
[c477da4b-b0fd-4a2b-8fc2-9eeb7b7726f4] puma (5.5.2) lib/puma/thread_pool.rb:340:in `with_force_shutdown'
[c477da4b-b0fd-4a2b-8fc2-9eeb7b7726f4] puma (5.5.2) lib/puma/request.rb:76:in `handle_request'
[c477da4b-b0fd-4a2b-8fc2-9eeb7b7726f4] puma (5.5.2) lib/puma/server.rb:447:in `process_client'
[c477da4b-b0fd-4a2b-8fc2-9eeb7b7726f4] puma (5.5.2) lib/puma/thread_pool.rb:147:in `block in spawn_thread'

About this issue

Original URL
State: open
Created 2 years ago
Reactions: 6
Comments: 26 (1 by maintainers)

Links to this issue

Upgrade from Rails 6.1.7 to Rails 7.0

Commits related to this issue

build: create user and session — committed to tuoanhnt95/Photo-review by tuoanhnt95 7 months ago

Most upvoted comments

@russellbrown @cchoi94 seems that you have moved on, but got my session storage to work on 7.0.2.4 by putting following code in config/application.rb

(https://www.youtube.com/watch?v=PqizV5l1yFE @ 10:40 (references following ruby documentation: https://api.rubyonrails.org/v6.0.3.3/classes/ActionDispatch/Session/CookieStore.html#method-c-new))

config.session_store :cookie_store, key: '_interslice_session'
    config.middleware.use ActionDispatch::Cookies
    config.middleware.use config.session_store, config.session_options

+156

TaylorBrysonRouse on May 4, 2022

@russellbrown @cchoi94 seems that you have moved on, but got my session storage to work on 7.0.2.4 by putting following code in config/application.rb

(https://www.youtube.com/watch?v=PqizV5l1yFE @ 10:40 (references following ruby documentation: https://api.rubyonrails.org/v6.0.3.3/classes/ActionDispatch/Session/CookieStore.html#method-c-new))
config.session_store :cookie_store, key: '_interslice_session'
    config.middleware.use ActionDispatch::Cookies
    config.middleware.use config.session_store, config.session_options

Thanks, this worked for me using Rails 7.0.3 and Ruby 3.1.1

+33

emmanuelkamala on Jun 15, 2022

I came late to the party, but I found @Dujota’s solution being cleaner, and I found a way to centrally configure store: false, instead of overwriting each methods separately that might need it:

#config/initializers/devise.rb
Devise.setup do |config|
  # ... other config
  
  config.warden do |warden|
    warden.scope_defaults :user, store: false  # <---- This will use the config even if it's not passed to the method opts
    warden.scope_defaults :admin, store: false # <---- You need to configure it for each scope you need it for
    # you might also want to overwrite the FailureApp in this section
  end
end

This way you don’t need to hack the session store in rack, it’s enough to disable it altogether (if you don’t use an api_only application already):

# config/application.rb
module YourApp
  class Application < Rails::Application
    # ... other config
    
    config.session_store :disabled
  end
end

+12

janospapp on Mar 3, 2023

@russellbrown I don’t have :timeoutable included however i’m still getting this error. This is how my user model looks like

class User < ApplicationRecord
  devise :database_authenticatable, :registerable,
    :recoverable, :rememberable, :validatable,
    :jwt_authenticatable,
    jwt_revocation_strategy: JwtDenylist
end

any thoughts here? Thanks

cchoi94 on Feb 11, 2022

@russellbrown @cchoi94 seems that you have moved on, but got my session storage to work on 7.0.2.4 by putting following code in config/application.rb

(https://www.youtube.com/watch?v=PqizV5l1yFE @ 10:40 (references following ruby documentation: https://api.rubyonrails.org/v6.0.3.3/classes/ActionDispatch/Session/CookieStore.html#method-c-new))
config.session_store :cookie_store, key: '_interslice_session'
    config.middleware.use ActionDispatch::Cookies
    config.middleware.use config.session_store, config.session_options

Workaround if you do not want to enable session_store and set it to cookie:

controller/concerns/rack_session_fix.rb

module RackSessionFix
  extend ActiveSupport::Concern
  class FakeRackSession < Hash
    def enabled?
      false
    end
  end
  included do
    before_action :set_fake_rack_session_for_devise
    private
    def set_fake_rack_session_for_devise
      request.env['rack.session'] ||= FakeRackSession.new
    end
  end
end

controller/registrations_controller.rb

class RegistrationsController < Devise::RegistrationsController
  include RackSessionFix
  ...
end

oyenmwen on Aug 14, 2022

@arpu Sure, I just removed :timeoutable from the model I’m authenticating (in my case User):

class User < ApplicationRecord
  devise :database_authenticatable, :recoverable, :rememberable, :validatable, :lockable, :trackable, :timeoutable, :jwt_authenticatable, jwt_revocation_strategy: self
end

… and the error disappeared. I had only included :timeoutable as standard based on previous projects but I realised JWT expires the tokens anyway so I didn’t really need Devise’s implementation.

Hope that helps!

russellbrown on Feb 8, 2022

@russellbrown @cchoi94 seems that you have moved on, but got my session storage to work on 7.0.2.4 by putting following code in config/application.rb (https://www.youtube.com/watch?v=PqizV5l1yFE @ 10:40 (references following ruby documentation: https://api.rubyonrails.org/v6.0.3.3/classes/ActionDispatch/Session/CookieStore.html#method-c-new))
config.session_store :cookie_store, key: '_interslice_session'
    config.middleware.use ActionDispatch::Cookies
    config.middleware.use config.session_store, config.session_options
Thanks, this worked for me using Rails 7.0.3 and Ruby 3.1.1

Bro nmekutana nayo hii kitu pia, mbn sikupati kwa simu kaka

isaka-lumato on Aug 15, 2022

It looks like a devise issue, right? I’ll keep it open until it’s fixed on their end. Thanks for the references.

waiting-for-dev on Jan 24, 2022

This worked for me

config.session_store :cookie_store, key: '_interslice_session'
config.middleware.use ActionDispatch::Cookies
config.middleware.use config.session_store, config.session_options

config.api_only = true

sang-4 on Oct 26, 2022

@Dujota / @janospapp 's solution also worked for me.

It was enough to add…

config.warden do |warden|
  warden.scope_defaults :user, store: false
end

… into config/initializers/devise.rb and the error went away and I was able to successfully sign_in / sign_out.

janosrusiczki on Mar 19, 2023

Setup:

devise (4.8.1)
devise-jwt (0.10.0)
rails (7.0.4)
ruby-3.1.3

in canse anyone else is struggling with this, you dont need to do any temp patching or enable cookie storre/session store.

This worked for me

config.session_store :cookie_store, key: '_interslice_session'
config.middleware.use ActionDispatch::Cookies
config.middleware.use config.session_store, config.session_options

config.api_only = true

The above could lead to potential bug when looking at the current_user as the session will only persist the last use that logged in and not the bearer token’s user. (ie: link a service provider to a user)

class CurrentUserController < ApplicationController
  before_action :authenticate_user!

  def index
    render json: current_user, status: :ok #<---- should only return the auth user not the last user that devise called sign_in
  end
end

Solution:

#application.rb
config.session_store :disabled

Users::RegistrationsController < Devise::RegistrationsController
rotected

  def sign_up(resource_name, resource)
    #by pass the session store on the default implementation
    sign_in resource, store: false <------- THIS
  end

you can pretty much call sign_in :user, store: false anywhere you need and it will properly work, just dont forget the let devise know it should transmit the JWT in the header for yourr custom auth route

for example:

API::V1::NextAuthController < ApplicationController

def handle_auth(kind)  
    if service.present?
      service.update(service_attributes) 
    else
      user.services.create(service_attributes)
    end
      sign_in @user, store: false <----- THIS
    end
end

# devise.rb
jwt.dispatch_requests = [
      ["POST", %r{^/login$}],
      ["POST", %r{^/api/v1/nextauth$}] 
   
    ]

Hopefully this saves people some time in the future 👍

Dujota on Dec 27, 2022

ActionDispatch::Request::Session::DisabledSessionError (Your application has sessions disabled. To write to the session you must first configure a session store):

app/controllers/admin/sessions_controller.rb:16:in `create’

same error after also session configuration in application.rb

agiratech-saranrajg on Jun 15, 2022

@arpu I ran into the exact same problem and I found for me it seemed to be related to the :timeoutable module being included in the devise method in the model. I just removed :timeoutable and then the error didn’t happen any more.

russellbrown on Feb 4, 2022