Feature #2628
closed
Set session store to cookie store by default
0%
Description
It was said that in .7 that session store would be set to 'cookie store' by default over in this forum post: http://www.redmine.org/boards/2/topics/show/150
However, the .8 version still has this set in environment.rb:
# Use the database for sessions instead of the file system # (create the session table with 'rake db:sessions:create') # config.action_controller.session_store = :active_record_store config.action_controller.session_store = :PStore
I'm getting tens of thousands of sessions in my temporary directory daily. I clean them out with tmpreaper, but it seems better to stick them in the cookie store instead.
perhaps there is a reason why this hasn't been set?
Related issues
Updated by Jean-Philippe Lang almost 16 years ago
Setting cookie store by default is not so trivial since it requires a secret.
I never took the time to automate the process of generating a key at the first application start.
Updated by Eric Davis almost 16 years ago
Mephisto has a rake task to automatically create a one. It's MIT licensed so we should be able to just use it:
file 'config/initializers/session_store.rb' do
path = File.join(RAILS_ROOT, 'config', 'initializers', 'session_store.rb')
File.open(path, 'w') do |f|
f.write <<"EOD"
# This file was generated by 'rake config/initializers/session_store.rb',
# and should not be made visible to public. Do not check it into github!
# If you have a load-balancing Mephisto cluster, you will need to use the
# same version of this file on each machine. And be sure to restart your
# server when you modify this file.
# Your secret key for verifying cookie session data integrity. If you
# change this key, all old sessions will become invalid! Make sure the
# secret is at least 30 characters and all random, no regular words or
# you'll be exposed to dictionary attacks.
ActionController::Base.session = {
:session_key => '_mephisto_session_2',
:secret => '#{ActiveSupport::SecureRandom.hex(40)}'
}
EOD
end
end
Updated by Javier Barroso over 15 years ago
Hi,
Is it sure remove + 2 days old session files ?
- df -i
/dev/sda4 294912 240644 54268 82% /opt
I have 179585 session files from 28 - 1 - 2009
Can I setup config/initializers/session_store.rb only adding it, is it necessary any step more ?
Thank you
Sorry for my english
Updated by Eric Davis over 15 years ago
Javier Barroso wrote:
Is it sure remove + 2 days old session files ?
Yes, I have a crontab to remove sessions that are older than 10 hours.
Updated by Jean-Philippe Lang over 15 years ago
- Status changed from New to Closed
- Target version set to 0.9.0
- Resolution set to Fixed
As of today, current trunk runs with Rails 2.2 and uses cookie store by default.
A rake task that generates a secret was added. Just run it once:
config/initializers/session_store.rb
Updated by Javier Barroso over 15 years ago
Thanks Eric (and Jean),
I was thinking it was problem from plugin, see my report at:
http://sourceforge.net/tracker/index.php?func=detail&aid=2636633&group_id=228995&atid=1075435
Updated by Eric Davis almost 15 years ago
I just added a second rake task to generate the session_store.rb (it's an alias). There's been a lot of problems with rake config/initializers/session_store.rb, many people think that the session_store.rb file needs to exist before the command can be run.