Class: ActionDispatch::Session::CookieStore
Relationships & Source Files | |
Namespace Children | |
Classes:
| |
Super Chains via Extension / Inclusion / Inheritance | |
Class Chain:
self,
AbstractSecureStore ,
Rack::Session::Abstract::PersistedSecure
|
|
Instance Chain:
self,
AbstractSecureStore ,
SessionObject ,
StaleSessionCheck ,
Compatibility ,
Rack::Session::Abstract::PersistedSecure
|
|
Inherits: |
ActionDispatch::Session::AbstractSecureStore
|
Defined in: | actionpack/lib/action_dispatch/middleware/session/cookie_store.rb |
Overview
This cookie-based session store is the ::Rails
default. It is dramatically faster than the alternatives.
Sessions typically contain at most a user ID and flash message; both fit within the 4096 bytes cookie size limit. A CookieOverflow
exception is raised if you attempt to store more than 4096 bytes of data.
The cookie jar used for storage is automatically configured to be the best possible option given your application’s configuration.
Your cookies will be encrypted using your application’s secret_key_base
. This goes a step further than signed cookies in that encrypted cookies cannot be altered or read by users. This is the default starting in ::Rails
4.
Configure your session store in an initializer:
Rails.application.config.session_store :, key: '_your_app_session'
In the development and test environments your application’s secret_key_base
is generated by ::Rails
and stored in a temporary file in tmp/local_secret.txt
. In all other environments, it is stored encrypted in the config/credentials.yml.enc
file.
If your application was not updated to ::Rails
5.2 defaults, the secret_key_base
will be found in the old config/secrets.yml
file.
Note that changing your secret_key_base
will invalidate all existing session. Additionally, you should take care to make sure you are not relying on the ability to decode signed cookies generated by your app in external applications or JavaScript before changing it.
Because CookieStore extends Rack::Session::Abstract::Persisted
, many of the options described there can be used to customize the session cookie that is generated. For example:
Rails.application.config.session_store :, expire_after: 14.days
would set the session cookie to expire automatically 14 days after creation. Other useful options include :key
, :secure
, :httponly
, and :same_site
.
Constant Summary
-
DEFAULT_SAME_SITE =
Internal use only
# File 'actionpack/lib/action_dispatch/middleware/session/cookie_store.rb', line 62proc { |request| request. }
Class Method Summary
- .new(app, options = {}) ⇒ CookieStore constructor
Instance Method Summary
- #delete_session(req, session_id, options)
- #load_session(req)
- #cookie_jar(request) private
- #extract_session_id(req) private
- #get_cookie(req) private
- #persistent_session_id!(data, sid = nil) private
- #set_cookie(request, session_id, cookie) private
- #unpacked_cookie_data(req) private
- #write_session(req, sid, session_data, options) private
AbstractSecureStore
- Inherited
SessionObject
- Included
StaleSessionCheck
- Included
Compatibility
- Included
Constructor Details
.new(app, options = {}) ⇒ CookieStore
# File 'actionpack/lib/action_dispatch/middleware/session/cookie_store.rb', line 64
def initialize(app, = {}) [: ] = true [:same_site] = DEFAULT_SAME_SITE if ! .key?(:same_site) super end
Instance Method Details
#cookie_jar(request) (private)
[ GitHub ]# File 'actionpack/lib/action_dispatch/middleware/session/cookie_store.rb', line 124
def (request) request. .signed_or_encrypted end
#delete_session(req, session_id, options)
[ GitHub ]# File 'actionpack/lib/action_dispatch/middleware/session/cookie_store.rb', line 70
def delete_session(req, session_id, ) new_sid = generate_sid unless [:drop] # Reset hash and Assign the new session id req.set_header("action_dispatch.request.unsigned_session_cookie", new_sid ? { "session_id" => new_sid.public_id } : {}) new_sid end
#extract_session_id(req) (private)
[ GitHub ]#get_cookie(req) (private)
[ GitHub ]# File 'actionpack/lib/action_dispatch/middleware/session/cookie_store.rb', line 120
def (req) (req)[@key] end
#load_session(req)
[ GitHub ]# File 'actionpack/lib/action_dispatch/middleware/session/cookie_store.rb', line 77
def load_session(req) stale_session_check! do data = (req) data = persistent_session_id!(data) [Rack::Session::SessionId.new(data["session_id"]), data] end end
#persistent_session_id!(data, sid = nil) (private)
[ GitHub ]# File 'actionpack/lib/action_dispatch/middleware/session/cookie_store.rb', line 105
def persistent_session_id!(data, sid = nil) data ||= {} data["session_id"] ||= sid || generate_sid.public_id data end
#set_cookie(request, session_id, cookie) (private)
[ GitHub ]# File 'actionpack/lib/action_dispatch/middleware/session/cookie_store.rb', line 116
def (request, session_id, ) (request)[@key] = end
#unpacked_cookie_data(req) (private)
[ GitHub ]# File 'actionpack/lib/action_dispatch/middleware/session/cookie_store.rb', line 93
def (req) req.fetch_header("action_dispatch.request.unsigned_session_cookie") do |k| v = stale_session_check! do if data = (req) data.stringify_keys! end data || {} end req.set_header k, v end end