Class: ActionDispatch::Cookies

Inherits:
Object
  • Object
show all
Defined in:
lib/action_dispatch/middleware/cookies.rb

Overview

Read and write data to cookies through ActionController::Cookies#cookies.

When reading cookie data, the data is read from the HTTP request header, Cookie. When writing cookie data, the data is sent out in the HTTP response header, ‘Set-Cookie`.

Examples of writing:

# Sets a simple session cookie.
# This cookie will be deleted when the user's browser is closed.
cookies[:user_name] = "david"

# Cookie values are String-based. Other data types need to be serialized.
cookies[:lat_lon] = JSON.generate([47.68, -122.37])

# Sets a cookie that expires in 1 hour.
cookies[:login] = { value: "XJ-122", expires: 1.hour }

# Sets a cookie that expires at a specific time.
cookies[:login] = { value: "XJ-122", expires: Time.utc(2020, 10, 15, 5) }

# Sets a signed cookie, which prevents users from tampering with its value.
cookies.signed[:user_id] = current_user.id
# It can be read using the signed method.
cookies.signed[:user_id] # => 123

# Sets an encrypted cookie value before sending it to the client which
# prevent users from reading and tampering with its value.
cookies.encrypted[:discount] = 45
# It can be read using the encrypted method.
cookies.encrypted[:discount] # => 45

# Sets a "permanent" cookie (which expires in 20 years from now).
cookies.permanent[:login] = "XJ-122"

# You can also chain these methods:
cookies.signed.permanent[:login] = "XJ-122"

Examples of reading:

cookies[:user_name]           # => "david"
cookies.size                  # => 2
JSON.parse(cookies[:lat_lon]) # => [47.68, -122.37]
cookies.signed[:login]        # => "XJ-122"
cookies.encrypted[:discount]  # => 45

Example for deleting:

cookies.delete :user_name

Please note that if you specify a ‘:domain` when setting a cookie, you must also specify the domain when deleting the cookie:

cookies[:name] = {
  value: 'a yummy cookie',
  expires: 1.year,
  domain: 'domain.com'
}

cookies.delete(:name, domain: 'domain.com')

The option symbols for setting cookies are:

  • ‘:value` - The cookie’s value.

  • ‘:path` - The path for which this cookie applies. Defaults to the root of the application.

  • ‘:domain` - The domain for which this cookie applies so you can restrict to the domain level. If you use a schema like www.example.com and want to share session with user.example.com set `:domain` to `:all`. To support multiple domains, provide an array, and the first domain matching `request.host` will be used. Make sure to specify the `:domain` option with `:all` or `Array` again when deleting cookies. For more flexibility you can set the domain on a per-request basis by specifying `:domain` with a proc.

    domain: nil  # Does not set cookie domain. (default)
    domain: :all # Allow the cookie for the top most level
                 # domain and subdomains.
    domain: %w(.example.com .example.org) # Allow the cookie
                                          # for concrete domain names.
    domain: proc { Tenant.current.cookie_domain } # Set cookie domain dynamically
    domain: proc { |req| ".sub.#{req.host}" }     # Set cookie domain dynamically based on request
    
  • ‘:tld_length` - When using `:domain => :all`, this option can be used to explicitly set the TLD length when using a short (<= 3 character) domain that is being interpreted as part of a TLD. For example, to share cookies between user1.lvh.me and user2.lvh.me, set `:tld_length` to 2.

  • ‘:expires` - The time at which this cookie expires, as a Time or ActiveSupport::Duration object.

  • ‘:secure` - Whether this cookie is only transmitted to HTTPS servers. Default is `false`.

  • ‘:httponly` - Whether this cookie is accessible via scripting or only HTTP. Defaults to `false`.

  • ‘:same_site` - The value of the `SameSite` cookie attribute, which determines how this cookie should be restricted in cross-site contexts. Possible values are `nil`, `:none`, `:lax`, and `:strict`. Defaults to `:lax`.

Defined Under Namespace

Modules: ChainedCookieJars, SerializedCookieJars Classes: AbstractCookieJar, CookieJar, EncryptedKeyRotatingCookieJar, PermanentCookieJar, SignedKeyRotatingCookieJar

Constant Summary collapse

HTTP_HEADER =
"Set-Cookie"
GENERATOR_KEY =
"action_dispatch.key_generator"
"action_dispatch.signed_cookie_salt"
"action_dispatch.encrypted_cookie_salt"
"action_dispatch.encrypted_signed_cookie_salt"
"action_dispatch.authenticated_encrypted_cookie_salt"
"action_dispatch.use_authenticated_cookie_encryption"
"action_dispatch.encrypted_cookie_cipher"
"action_dispatch.signed_cookie_digest"
SECRET_KEY_BASE =
"action_dispatch.secret_key_base"
COOKIES_SERIALIZER =
"action_dispatch.cookies_serializer"
COOKIES_DIGEST =
"action_dispatch.cookies_digest"
COOKIES_ROTATIONS =
"action_dispatch.cookies_rotations"
COOKIES_SAME_SITE_PROTECTION =
"action_dispatch.cookies_same_site_protection"
USE_COOKIES_WITH_METADATA =
"action_dispatch.use_cookies_with_metadata"
4096
CookieOverflow =

Raised when storing more than 4K of session data.

Class.new StandardError

Instance Method Summary collapse

Constructor Details

#initialize(app) ⇒ Cookies

Returns a new instance of Cookies.



700
701
702
# File 'lib/action_dispatch/middleware/cookies.rb', line 700

def initialize(app)
  @app = app
end

Instance Method Details

#call(env) ⇒ Object



704
705
706
707
708
709
710
711
712
713
714
715
716
717
# File 'lib/action_dispatch/middleware/cookies.rb', line 704

def call(env)
  request = ActionDispatch::Request.new(env)
  response = @app.call(env)

  if request.have_cookie_jar?
    cookie_jar = request.cookie_jar
    unless cookie_jar.committed?
      response = Rack::Response[*response]
      cookie_jar.write(response)
    end
  end

  response.to_a
end