Class ActionController::Session::CookieStore
In: vendor/rails/actionpack/lib/action_controller/session/cookie_store.rb
Parent: Object

This cookie-based session store is the Rails default. Sessions typically contain at most a user_id and flash message; both fit within the 4K cookie size limit. Cookie-based sessions are dramatically faster than the alternatives.

If you have more than 4K of session data or don‘t want your data to be visible to the user, pick another session store.

CookieOverflow is raised if you attempt to store more than 4K of data.

A message digest is included with the cookie to ensure data integrity: a user cannot alter his user_id without knowing the secret key included in the hash. New apps are generated with a pregenerated secret in config/environment.rb. Set your own for old apps you‘re upgrading.

Session options:

  • :secret: An application-wide key string or block returning a string called per generated digest. The block is called with the CGI::Session instance as an argument. It‘s important that the secret is not vulnerable to a dictionary attack. Therefore, you should choose a secret consisting of random numbers and letters and more than 30 characters. Examples:
      :secret => '449fe2e7daee471bffae2fd8dc02313d'
      :secret => Proc.new { User.current_user.secret_key }
    
  • :digest: The message digest algorithm used to verify session integrity defaults to ‘SHA1’ but may be any digest provided by OpenSSL, such as ‘MD5’, ‘RIPEMD160’, ‘SHA256’, etc.

To generate a secret key for an existing application, run "rake secret" and set the key in config/environment.rb.

Note that changing digest or secret invalidates all existing sessions!

Methods

call   new  

Classes and Modules

Class ActionController::Session::CookieStore::CookieOverflow

Constants

MAX = 4096   Cookies can typically store 4096 bytes.
SECRET_MIN_LENGTH = 30
DEFAULT_OPTIONS = { :key => '_session_id', :domain => nil, :path => "/", :expire_after => nil, :httponly => true
ENV_SESSION_KEY = "rack.session".freeze
ENV_SESSION_OPTIONS_KEY = "rack.session.options".freeze
HTTP_SET_COOKIE = "Set-Cookie".freeze

Public Class methods

[Source]

    # File vendor/rails/actionpack/lib/action_controller/session/cookie_store.rb, line 58
58:       def initialize(app, options = {})
59:         # Process legacy CGI options
60:         options = options.symbolize_keys
61:         if options.has_key?(:session_path)
62:           options[:path] = options.delete(:session_path)
63:         end
64:         if options.has_key?(:session_key)
65:           options[:key] = options.delete(:session_key)
66:         end
67:         if options.has_key?(:session_http_only)
68:           options[:httponly] = options.delete(:session_http_only)
69:         end
70: 
71:         @app = app
72: 
73:         # The session_key option is required.
74:         ensure_session_key(options[:key])
75:         @key = options.delete(:key).freeze
76: 
77:         # The secret option is required.
78:         ensure_secret_secure(options[:secret])
79:         @secret = options.delete(:secret).freeze
80: 
81:         @digest = options.delete(:digest) || 'SHA1'
82:         @verifier = verifier_for(@secret, @digest)
83: 
84:         @default_options = DEFAULT_OPTIONS.merge(options).freeze
85: 
86:         freeze
87:       end

Public Instance methods

[Source]

     # File vendor/rails/actionpack/lib/action_controller/session/cookie_store.rb, line 89
 89:       def call(env)
 90:         env[ENV_SESSION_KEY] = AbstractStore::SessionHash.new(self, env)
 91:         env[ENV_SESSION_OPTIONS_KEY] = @default_options.dup
 92: 
 93:         status, headers, body = @app.call(env)
 94: 
 95:         session_data = env[ENV_SESSION_KEY]
 96:         options = env[ENV_SESSION_OPTIONS_KEY]
 97: 
 98:         if !session_data.is_a?(AbstractStore::SessionHash) || session_data.send(:loaded?) || options[:expire_after]
 99:           session_data.send(:load!) if session_data.is_a?(AbstractStore::SessionHash) && !session_data.send(:loaded?)
100:           session_data = marshal(session_data.to_hash)
101: 
102:           raise CookieOverflow if session_data.size > MAX
103: 
104:           cookie = Hash.new
105:           cookie[:value] = session_data
106:           unless options[:expire_after].nil?
107:             cookie[:expires] = Time.now + options[:expire_after]
108:           end
109: 
110:           cookie = build_cookie(@key, cookie.merge(options))
111:           unless headers[HTTP_SET_COOKIE].blank?
112:             headers[HTTP_SET_COOKIE] << "\n#{cookie}"
113:           else
114:             headers[HTTP_SET_COOKIE] = cookie
115:           end
116:         end
117: 
118:         [status, headers, body]
119:       end

[Validate]