123456789_123456789_123456789_123456789_123456789_

Class: ActionDispatch::Session::CookieStore

Relationships & Source Files
Namespace Children
Classes:
SessionId
Super Chains via Extension / Inclusion / Inheritance
Class Chain:
self, AbstractSecureStore, Rack::Session::Abstract::PersistedSecure
Instance Chain:
self, AbstractSecureStore, StaleSessionCheck, Compatibility, Rack::Session::Abstract::PersistedSecure
Inherits: ActionDispatch::Session::AbstractSecureStore
Defined in: actionpack/lib/action_dispatch/middleware/session/cookie_store.rb

Overview

This cookie-based session store is the ::Rails default. It is dramatically faster than the alternatives.

Sessions typically contain at most a user_id and flash message; both fit within the 4K cookie size limit. A CookieOverflow exception is raised if you attempt to store more than 4K of data.

The cookie jar used for storage is automatically configured to be the best possible option given your application’s configuration.

If you only have secret_token set, your cookies will be signed, but not encrypted. This means a user cannot alter their user_id without knowing your app’s secret key, but can easily read their user_id. This was the default for ::Rails 3 apps.

Your cookies will be encrypted using your apps secret_key_base. This goes a step further than signed cookies in that encrypted cookies cannot be altered or read by users. This is the default starting in ::Rails 4.

Configure your session store in config/initializers/session_store.rb:

Rails.application.config.session_store :cookie_store, key: '_your_app_session'

In the development and test environments your application’s secret key base is generated by ::Rails and stored in a temporary file in tmp/development_secret.txt. In all other environments, it is stored encrypted in the config/credentials.yml.enc file.

If your application was not updated to ::Rails 5.2 defaults, the secret_key_base will be found in the old config/secrets.yml file.

Note that changing your secret_key_base will invalidate all existing session. Additionally, you should take care to make sure you are not relying on the ability to decode signed cookies generated by your app in external applications or JavaScript before changing it.

Because CookieStore extends Rack::Session::Abstract::Persisted, many of the options described there can be used to customize the session cookie that is generated. For example:

Rails.application.config.session_store :cookie_store, expire_after: 14.days

would set the session cookie to expire automatically 14 days after creation. Other useful options include :key, :secure and :httponly.

Class Method Summary

Instance Method Summary

AbstractSecureStore - Inherited

#generate_sid

StaleSessionCheck - Included

#extract_session_id, #load_session, #stale_session_check!

Compatibility - Included

#generate_sid, #initialize, #initialize_sid

Constructor Details

.new(app, options = {}) ⇒ CookieStore

[ GitHub ] 

  


# File 'actionpack/lib/action_dispatch/middleware/session/cookie_store.rb', line 64



def initialize(app, options = {})
  super(app, options.merge!(cookie_only: true))
end


  







Instance Method Details



  

    #delete_session(req, session_id, options)  
  

  [ GitHub ]


  

  


# File 'actionpack/lib/action_dispatch/middleware/session/cookie_store.rb', line 68



def delete_session(req, session_id, options)
  new_sid = generate_sid unless options[:drop]
  # Reset hash and Assign the new session id
  req.set_header("action_dispatch.request.unsigned_session_cookie", new_sid ? { "session_id" => new_sid.public_id } : {})
  new_sid
end


  








  

    #load_session(req)  
  

  [ GitHub ]


  

  


# File 'actionpack/lib/action_dispatch/middleware/session/cookie_store.rb', line 75



def load_session(req)
  stale_session_check! do
    data = unpacked_cookie_data(req)
    data = persistent_session_id!(data)
    [Rack::Session::SessionId.new(data["session_id"]), data]
  end
end