Store classes as string in session, to avoid serialization and stale data issues, closes #356

CHANGELOG.rdoc

@@ -12,6 +12,7 @@
   * Fix a bug when accessing a path with (.:format) (by github.com/klacointe)
   * Do not add unlock routes unless unlock strategy is email or both
   * Email should be case insensitive
+  * Store classes as string in session, to avoid serialization and stale data issues
 
 * deprecations
   * use_default_scope is deprecated and has no effect. Use :as or :devise_scope in the router instead

lib/devise/rails/warden_compat.rb

@@ -15,11 +15,18 @@ end
 
 class Warden::SessionSerializer
   def serialize(record)
-    [record.class, record.id]
+    [record.class.name, record.id]
   end
 
   def deserialize(keys)
     klass, id = keys
-    klass.find(:first, :conditions => { :id => id })
+    klass.constantize.find(:first, :conditions => { :id => id })
+  rescue NameError => e
+    if e.message =~ /uninitialized constant #{klass}/
+      Rails.logger.debug "Trying to deserialize invalid class #{klass}"
+      nil
+    else
+      raise
+    end
   end
 end

test/integration/authenticatable_test.rb

@@ -322,4 +322,23 @@ class AuthenticationOthersTest < ActionController::IntegrationTest
       post user_registration_path(:format => 'xml', :user => {:email => "test@example.com", :password => "invalid"} )
     end
   end
+
+  test 'does not explode when invalid user class is stored in session' do
+    klass = User
+    paths = ActiveSupport::Dependencies.autoload_paths.dup
+
+    begin
+      sign_in_as_user
+      assert warden.authenticated?(:user)
+
+      Object.send :remove_const, :User
+      ActiveSupport::Dependencies.autoload_paths.clear
+
+      visit "/users"
+      assert_not warden.authenticated?(:user)
+    ensure
+      Object.const_set(:User, klass)
+      ActiveSupport::Dependencies.autoload_paths.replace(paths)
+    end
+  end
 end