Class | ActionController::Session::CookieStore |
In: |
vendor/rails/actionpack/lib/action_controller/session/cookie_store.rb
|
Parent: | Object |
This cookie-based session store is the Rails default. Sessions typically contain at most a user_id and flash message; both fit within the 4K cookie size limit. Cookie-based sessions are dramatically faster than the alternatives.
If you have more than 4K of session data or don‘t want your data to be visible to the user, pick another session store.
CookieOverflow is raised if you attempt to store more than 4K of data.
A message digest is included with the cookie to ensure data integrity: a user cannot alter his user_id without knowing the secret key included in the hash. New apps are generated with a pregenerated secret in config/environment.rb. Set your own for old apps you‘re upgrading.
Session options:
:secret => '449fe2e7daee471bffae2fd8dc02313d' :secret => Proc.new { User.current_user.secret_key }
To generate a secret key for an existing application, run "rake secret" and set the key in config/environment.rb.
Note that changing digest or secret invalidates all existing sessions!
MAX | = | 4096 | Cookies can typically store 4096 bytes. | |
SECRET_MIN_LENGTH | = | 30 | ||
DEFAULT_OPTIONS | = | { :key => '_session_id', :domain => nil, :path => "/", :expire_after => nil, :httponly => true | ||
ENV_SESSION_KEY | = | "rack.session".freeze | ||
ENV_SESSION_OPTIONS_KEY | = | "rack.session.options".freeze | ||
HTTP_SET_COOKIE | = | "Set-Cookie".freeze |
# File vendor/rails/actionpack/lib/action_controller/session/cookie_store.rb, line 58 58: def initialize(app, options = {}) 59: # Process legacy CGI options 60: options = options.symbolize_keys 61: if options.has_key?(:session_path) 62: options[:path] = options.delete(:session_path) 63: end 64: if options.has_key?(:session_key) 65: options[:key] = options.delete(:session_key) 66: end 67: if options.has_key?(:session_http_only) 68: options[:httponly] = options.delete(:session_http_only) 69: end 70: 71: @app = app 72: 73: # The session_key option is required. 74: ensure_session_key(options[:key]) 75: @key = options.delete(:key).freeze 76: 77: # The secret option is required. 78: ensure_secret_secure(options[:secret]) 79: @secret = options.delete(:secret).freeze 80: 81: @digest = options.delete(:digest) || 'SHA1' 82: @verifier = verifier_for(@secret, @digest) 83: 84: @default_options = DEFAULT_OPTIONS.merge(options).freeze 85: 86: freeze 87: end
# File vendor/rails/actionpack/lib/action_controller/session/cookie_store.rb, line 89 89: def call(env) 90: env[ENV_SESSION_KEY] = AbstractStore::SessionHash.new(self, env) 91: env[ENV_SESSION_OPTIONS_KEY] = @default_options.dup 92: 93: status, headers, body = @app.call(env) 94: 95: session_data = env[ENV_SESSION_KEY] 96: options = env[ENV_SESSION_OPTIONS_KEY] 97: 98: if !session_data.is_a?(AbstractStore::SessionHash) || session_data.send(:loaded?) || options[:expire_after] 99: session_data.send(:load!) if session_data.is_a?(AbstractStore::SessionHash) && !session_data.send(:loaded?) 100: session_data = marshal(session_data.to_hash) 101: 102: raise CookieOverflow if session_data.size > MAX 103: 104: cookie = Hash.new 105: cookie[:value] = session_data 106: unless options[:expire_after].nil? 107: cookie[:expires] = Time.now + options[:expire_after] 108: end 109: 110: cookie = build_cookie(@key, cookie.merge(options)) 111: unless headers[HTTP_SET_COOKIE].blank? 112: headers[HTTP_SET_COOKIE] << "\n#{cookie}" 113: else 114: headers[HTTP_SET_COOKIE] = cookie 115: end 116: end 117: 118: [status, headers, body] 119: end