Class: ActionDispatch::Session::CookieStore

Inherits:
AbstractSecureStore
  • Object
show all
Defined in:
lib/action_dispatch/middleware/session/cookie_store.rb

Overview

# Action Dispatch Session CookieStore

This cookie-based session store is the Rails default. It is dramatically faster than the alternatives.

Sessions typically contain at most a user ID and flash message; both fit within the 4096 bytes cookie size limit. A ‘CookieOverflow` exception is raised if you attempt to store more than 4096 bytes of data.

The cookie jar used for storage is automatically configured to be the best possible option given your application’s configuration.

Your cookies will be encrypted using your application’s ‘secret_key_base`. This goes a step further than signed cookies in that encrypted cookies cannot be altered or read by users. This is the default starting in Rails 4.

Configure your session store in an initializer:

Rails.application.config.session_store :cookie_store, key: '_your_app_session'

In the development and test environments your application’s ‘secret_key_base` is generated by Rails and stored in a temporary file in `tmp/local_secret.txt`. In all other environments, it is stored encrypted in the `config/credentials.yml.enc` file.

If your application was not updated to Rails 5.2 defaults, the ‘secret_key_base` will be found in the old `config/secrets.yml` file.

Note that changing your ‘secret_key_base` will invalidate all existing session. Additionally, you should take care to make sure you are not relying on the ability to decode signed cookies generated by your app in external applications or JavaScript before changing it.

Because CookieStore extends ‘Rack::Session::Abstract::Persisted`, many of the options described there can be used to customize the session cookie that is generated. For example:

Rails.application.config.session_store :cookie_store, expire_after: 14.days

would set the session cookie to expire automatically 14 days after creation. Other useful options include ‘:key`, `:secure`, `:httponly`, and `:same_site`.

Defined Under Namespace

Classes: SessionId

Constant Summary collapse

DEFAULT_SAME_SITE =

:nodoc:

proc { |request| request.cookies_same_site_protection }

Instance Method Summary collapse

Methods inherited from AbstractSecureStore

#generate_sid

Methods included from SessionObject

#commit_session, #loaded_session?, #prepare_session

Methods included from StaleSessionCheck

#stale_session_check!

Methods included from Compatibility

#generate_sid

Constructor Details

#initialize(app, options = {}) ⇒ CookieStore

Returns a new instance of CookieStore.



64
65
66
67
68
# File 'lib/action_dispatch/middleware/session/cookie_store.rb', line 64

def initialize(app, options = {})
  options[:cookie_only] = true
  options[:same_site] = DEFAULT_SAME_SITE if !options.key?(:same_site)
  super
end

Instance Method Details

#delete_session(req, session_id, options) ⇒ Object



70
71
72
73
74
75
# File 'lib/action_dispatch/middleware/session/cookie_store.rb', line 70

def delete_session(req, session_id, options)
  new_sid = generate_sid unless options[:drop]
  # Reset hash and Assign the new session id
  req.set_header("action_dispatch.request.unsigned_session_cookie", new_sid ? { "session_id" => new_sid.public_id } : {})
  new_sid
end

#load_session(req) ⇒ Object



77
78
79
80
81
82
83
# File 'lib/action_dispatch/middleware/session/cookie_store.rb', line 77

def load_session(req)
  stale_session_check! do
    data = unpacked_cookie_data(req)
    data = persistent_session_id!(data)
    [Rack::Session::SessionId.new(data["session_id"]), data]
  end
end