Class: ActionController::Session::CookieStore

Inherits:
Object
  • Object
show all
Includes:
AbstractStore::SessionUtils
Defined in:
lib/action_controller/session/cookie_store.rb

Overview

This cookie-based session store is the Rails default. Sessions typically contain at most a user_id and flash message; both fit within the 4K cookie size limit. Cookie-based sessions are dramatically faster than the alternatives.

If you have more than 4K of session data or don’t want your data to be visible to the user, pick another session store.

CookieOverflow is raised if you attempt to store more than 4K of data.

A message digest is included with the cookie to ensure data integrity: a user cannot alter his user_id without knowing the secret key included in the hash. New apps are generated with a pregenerated secret in config/environment.rb. Set your own for old apps you’re upgrading.

Session options:

  • :secret: An application-wide key string or block returning a string called per generated digest. The block is called with the CGI::Session instance as an argument. It’s important that the secret is not vulnerable to a dictionary attack. Therefore, you should choose a secret consisting of random numbers and letters and more than 30 characters. Examples:

    :secret => '449fe2e7daee471bffae2fd8dc02313d'
:secret => Proc.new { User.current_user.secret_key }

  • :digest: The message digest algorithm used to verify session integrity defaults to ‘SHA1’ but may be any digest provided by OpenSSL, such as ‘MD5’, ‘RIPEMD160’, ‘SHA256’, etc.

To generate a secret key for an existing application, run “rake secret” and set the key in config/environment.rb.

Note that changing digest or secret invalidates all existing sessions!

Defined Under Namespace

Classes: CookieOverflow

Constant Summary collapse

MAX =

Cookies can typically store 4096 bytes.

4096
SECRET_MIN_LENGTH =

characters

30
DEFAULT_OPTIONS = 
{
  :key          => '_session_id',
  :domain       => nil,
  :path         => "/",
  :expire_after => nil,
  :httponly     => true
}.freeze
ENV_SESSION_KEY = 
"rack.session".freeze
ENV_SESSION_OPTIONS_KEY = 
"rack.session.options".freeze

Instance Method Summary collapse

Constructor Details

#initialize(app, options = {}) ⇒ CookieStore

Returns a new instance of CookieStore.



59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
 
# File 'lib/action_controller/session/cookie_store.rb', line 59

def initialize(app, options = {})
  # Process legacy CGI options
  options = options.symbolize_keys
  if options.has_key?(:session_path)
    ActiveSupport::Deprecation.warn "Giving :session_path to SessionStore is deprecated, " <<
      "please use :path instead", caller
    options[:path] = options.delete(:session_path)
  end
  if options.has_key?(:session_key)
    ActiveSupport::Deprecation.warn "Giving :session_key to SessionStore is deprecated, " <<
      "please use :key instead", caller
    options[:key] = options.delete(:session_key)
  end
  if options.has_key?(:session_http_only)
    ActiveSupport::Deprecation.warn "Giving :session_http_only to SessionStore is deprecated, " <<
      "please use :httponly instead", caller
    options[:httponly] = options.delete(:session_http_only)
  end

  @app = app

  # The session_key option is required.
  ensure_session_key(options[:key])
  @key = options.delete(:key).freeze

  # The secret option is required.
  ensure_secret_secure(options[:secret])
  @secret = options.delete(:secret).freeze

  @digest = options.delete(:digest) || 'SHA1'
  @verifier = verifier_for(@secret, @digest)

  @default_options = DEFAULT_OPTIONS.merge(options).freeze

  freeze
end

Instance Method Details

#call(env) ⇒ Object 



96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
 
# File 'lib/action_controller/session/cookie_store.rb', line 96

def call(env)
  prepare!(env)
  
  status, headers, body = @app.call(env)

  session_data = env[ENV_SESSION_KEY]
  options = env[ENV_SESSION_OPTIONS_KEY]
  request = ActionController::Request.new(env)
  
  if !(options[:secure] && !request.ssl?) && (!session_data.is_a?(AbstractStore::SessionHash) || session_data.loaded? || options[:expire_after])
    session_data.send(:load!) if session_data.is_a?(AbstractStore::SessionHash) && !session_data.loaded?

    persistent_session_id!(session_data)
    session_data = marshal(session_data.to_hash)

    raise CookieOverflow if session_data.size > MAX
    cookie = Hash.new
    cookie[:value] = session_data
    unless options[:expire_after].nil?
      cookie[:expires] = Time.now + options[:expire_after]
    end

    Rack::Utils.set_cookie_header!(headers, @key, cookie.merge(options))
  end

  [status, headers, body]
end