Class: CGI::Session::CookieStore
- Defined in:
- lib/action_controller/session/cookie_store.rb
Overview
This cookie-based session store is the Rails default. Sessions typically contain at most a user_id and flash message; both fit within the 4K cookie size limit. Cookie-based sessions are dramatically faster than the alternatives.
If you have more than 4K of session data or don’t want your data to be visible to the user, pick another session store.
CookieOverflow is raised if you attempt to store more than 4K of data. TamperedWithCookie is raised if the data integrity check fails.
A message digest is included with the cookie to ensure data integrity: a user cannot alter his user_id
without knowing the secret key included in the hash. New apps are generated with a pregenerated secret in config/environment.rb. Set your own for old apps you’re upgrading.
Session options:
-
:secret
: An application-wide key string or block returning a string called per generated digest. The block is called with the CGI::Session instance as an argument. It’s important that the secret is not vulnerable to a dictionary attack. Therefore, you should choose a secret consisting of random numbers and letters and more than 30 characters. Examples::secret => '449fe2e7daee471bffae2fd8dc02313d' :secret => Proc.new { User.current_user.secret_key }
-
:digest
: The message digest algorithm used to verify session integrity defaults to ‘SHA1’ but may be any digest provided by OpenSSL, such as ‘MD5’, ‘RIPEMD160’, ‘SHA256’, etc.
To generate a secret key for an existing application, run “rake secret” and set the key in config/environment.rb.
Note that changing digest or secret invalidates all existing sessions!
Defined Under Namespace
Classes: CookieOverflow, TamperedWithCookie
Constant Summary collapse
- MAX =
Cookies can typically store 4096 bytes.
4096
- SECRET_MIN_LENGTH =
characters
30
Instance Method Summary collapse
-
#close ⇒ Object
Write the session data cookie if it was loaded and has changed.
-
#delete ⇒ Object
Delete the session data by setting an expired cookie with no data.
-
#ensure_secret_secure(secret) ⇒ Object
To prevent users from using something insecure like “Password” we make sure that the secret they’ve provided is at least 30 characters in length.
-
#generate_digest(data) ⇒ Object
Generate the HMAC keyed message digest.
-
#initialize(session, options = {}) ⇒ CookieStore
constructor
Called from CGI::Session only.
-
#restore ⇒ Object
Restore session data from the cookie.
-
#update ⇒ Object
Wait until close to write the session data cookie.
Constructor Details
#initialize(session, options = {}) ⇒ CookieStore
Called from CGI::Session only.
52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 |
# File 'lib/action_controller/session/cookie_store.rb', line 52 def initialize(session, = {}) # The session_key option is required. if ['session_key'].blank? raise ArgumentError, 'A session_key is required to write a cookie containing the session data. Use config.action_controller.session = { :session_key => "_myapp_session", :secret => "some secret phrase" } in config/environment.rb' end # The secret option is required. ensure_secret_secure(['secret']) # Keep the session and its secret on hand so we can read and write cookies. @session, @secret = session, ['secret'] # Message digest defaults to SHA1. @digest = ['digest'] || 'SHA1' # Default cookie options derived from session settings. @cookie_options = { 'name' => ['session_key'], 'path' => ['session_path'], 'domain' => ['session_domain'], 'expires' => ['session_expires'], 'secure' => ['session_secure'], 'http_only' => ['session_http_only'] } # Set no_hidden and no_cookies since the session id is unused and we # set our own data cookie. ['no_hidden'] = true ['no_cookies'] = true end |
Instance Method Details
#close ⇒ Object
Write the session data cookie if it was loaded and has changed.
109 110 111 112 113 114 115 |
# File 'lib/action_controller/session/cookie_store.rb', line 109 def close if defined?(@data) && !@data.blank? updated = marshal(@data) raise CookieOverflow if updated.size > MAX ('value' => updated) unless updated == @original end end |
#delete ⇒ Object
Delete the session data by setting an expired cookie with no data.
118 119 120 121 122 |
# File 'lib/action_controller/session/cookie_store.rb', line 118 def delete @data = nil ('value' => nil, 'expires' => 1.year.ago) end |
#ensure_secret_secure(secret) ⇒ Object
To prevent users from using something insecure like “Password” we make sure that the secret they’ve provided is at least 30 characters in length.
85 86 87 88 89 90 91 92 93 94 95 96 97 |
# File 'lib/action_controller/session/cookie_store.rb', line 85 def ensure_secret_secure(secret) # There's no way we can do this check if they've provided a proc for the # secret. return true if secret.is_a?(Proc) if secret.blank? raise ArgumentError, %Q{A secret is required to generate an integrity hash for cookie session data. Use config.action_controller.session = { :session_key => "_myapp_session", :secret => "some secret phrase of at least #{SECRET_MIN_LENGTH} characters" } in config/environment.rb} end if secret.length < SECRET_MIN_LENGTH raise ArgumentError, %Q{Secret should be something secure, like "#{CGI::Session.generate_unique_id}". The value you provided, "#{secret}", is shorter than the minimum length of #{SECRET_MIN_LENGTH} characters} end end |
#generate_digest(data) ⇒ Object
Generate the HMAC keyed message digest. Uses SHA1 by default.
125 126 127 128 |
# File 'lib/action_controller/session/cookie_store.rb', line 125 def generate_digest(data) key = @secret.respond_to?(:call) ? @secret.call(@session) : @secret OpenSSL::HMAC.hexdigest(OpenSSL::Digest::Digest.new(@digest), key, data) end |
#restore ⇒ Object
Restore session data from the cookie.
100 101 102 103 |
# File 'lib/action_controller/session/cookie_store.rb', line 100 def restore @original = @data = unmarshal(@original) || {} end |
#update ⇒ Object
Wait until close to write the session data cookie.
106 |
# File 'lib/action_controller/session/cookie_store.rb', line 106 def update; end |