Class: ActionController::Session::CookieStore
- Defined in:
- lib/action_controller/session/cookie_store.rb
Overview
This cookie-based session store is the Rails default. Sessions typically contain at most a user_id and flash message; both fit within the 4K cookie size limit. Cookie-based sessions are dramatically faster than the alternatives.
If you have more than 4K of session data or don’t want your data to be visible to the user, pick another session store.
CookieOverflow is raised if you attempt to store more than 4K of data.
A message digest is included with the cookie to ensure data integrity: a user cannot alter his user_id
without knowing the secret key included in the hash. New apps are generated with a pregenerated secret in config/environment.rb. Set your own for old apps you’re upgrading.
Session options:
-
:secret
: An application-wide key string or block returning a string called per generated digest. The block is called with the CGI::Session instance as an argument. It’s important that the secret is not vulnerable to a dictionary attack. Therefore, you should choose a secret consisting of random numbers and letters and more than 30 characters. Examples::secret => '449fe2e7daee471bffae2fd8dc02313d' :secret => Proc.new { User.current_user.secret_key }
-
:digest
: The message digest algorithm used to verify session integrity defaults to ‘SHA1’ but may be any digest provided by OpenSSL, such as ‘MD5’, ‘RIPEMD160’, ‘SHA256’, etc.
To generate a secret key for an existing application, run “rake secret” and set the key in config/environment.rb.
Note that changing digest or secret invalidates all existing sessions!
Defined Under Namespace
Classes: CookieOverflow
Constant Summary collapse
- MAX =
Cookies can typically store 4096 bytes.
4096
- SECRET_MIN_LENGTH =
characters
30
- DEFAULT_OPTIONS =
{ :key => '_session_id', :domain => nil, :path => "/", :expire_after => nil, :httponly => true }.freeze
- ENV_SESSION_KEY =
"rack.session".freeze
- ENV_SESSION_OPTIONS_KEY =
"rack.session.options".freeze
- HTTP_SET_COOKIE =
"Set-Cookie".freeze
Instance Method Summary collapse
- #call(env) ⇒ Object
-
#initialize(app, options = {}) ⇒ CookieStore
constructor
A new instance of CookieStore.
Constructor Details
#initialize(app, options = {}) ⇒ CookieStore
Returns a new instance of CookieStore.
58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 |
# File 'lib/action_controller/session/cookie_store.rb', line 58 def initialize(app, = {}) # Process legacy CGI options = .symbolize_keys if .has_key?(:session_path) ActiveSupport::Deprecation.warn "Giving :session_path to SessionStore is deprecated, " << "please use :path instead", caller [:path] = .delete(:session_path) end if .has_key?(:session_key) ActiveSupport::Deprecation.warn "Giving :session_key to SessionStore is deprecated, " << "please use :key instead", caller [:key] = .delete(:session_key) end if .has_key?(:session_http_only) ActiveSupport::Deprecation.warn "Giving :session_http_only to SessionStore is deprecated, " << "please use :httponly instead", caller [:httponly] = .delete(:session_http_only) end @app = app # The session_key option is required. ensure_session_key([:key]) @key = .delete(:key).freeze # The secret option is required. ensure_secret_secure([:secret]) @secret = .delete(:secret).freeze @digest = .delete(:digest) || 'SHA1' @verifier = verifier_for(@secret, @digest) @default_options = DEFAULT_OPTIONS.merge().freeze freeze end |
Instance Method Details
#call(env) ⇒ Object
95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 |
# File 'lib/action_controller/session/cookie_store.rb', line 95 def call(env) env[ENV_SESSION_KEY] = AbstractStore::SessionHash.new(self, env) env[ENV_SESSION_OPTIONS_KEY] = @default_options.dup status, headers, body = @app.call(env) session_data = env[ENV_SESSION_KEY] = env[ENV_SESSION_OPTIONS_KEY] if !session_data.is_a?(AbstractStore::SessionHash) || session_data.send(:loaded?) || [:expire_after] session_data.send(:load!) if session_data.is_a?(AbstractStore::SessionHash) && !session_data.send(:loaded?) session_data = marshal(session_data.to_hash) raise CookieOverflow if session_data.size > MAX = Hash.new [:value] = session_data unless [:expire_after].nil? [:expires] = Time.now + [:expire_after] end = (@key, .merge()) unless headers[HTTP_SET_COOKIE].blank? headers[HTTP_SET_COOKIE] << "\n#{}" else headers[HTTP_SET_COOKIE] = end end [status, headers, body] end |