Feature #2628
closed
Set session store to cookie store by default
Added by micah anderson almost 16 years ago.
Updated almost 15 years ago.
Description
It was said that in .7 that session store would be set to 'cookie store' by default over in this forum post: http://www.redmine.org/boards/2/topics/show/150
However, the .8 version still has this set in environment.rb:
# Use the database for sessions instead of the file system
# (create the session table with 'rake db:sessions:create')
# config.action_controller.session_store = :active_record_store
config.action_controller.session_store = :PStore
I'm getting tens of thousands of sessions in my temporary directory daily. I clean them out with tmpreaper, but it seems better to stick them in the cookie store instead.
perhaps there is a reason why this hasn't been set?
Setting cookie store by default is not so trivial since it requires a secret.
I never took the time to automate the process of generating a key at the first application start.
Mephisto has a rake task to automatically create a one. It's MIT licensed so we should be able to just use it:
http://github.com/emk/mephisto/blob/1473acf8307ec21d2002acab94691841d8003580/lib/tasks/session_store.rake
file 'config/initializers/session_store.rb' do
path = File.join(RAILS_ROOT, 'config', 'initializers', 'session_store.rb')
File.open(path, 'w') do |f|
f.write <<"EOD"
# This file was generated by 'rake config/initializers/session_store.rb',
# and should not be made visible to public. Do not check it into github!
# If you have a load-balancing Mephisto cluster, you will need to use the
# same version of this file on each machine. And be sure to restart your
# server when you modify this file.
# Your secret key for verifying cookie session data integrity. If you
# change this key, all old sessions will become invalid! Make sure the
# secret is at least 30 characters and all random, no regular words or
# you'll be exposed to dictionary attacks.
ActionController::Base.session = {
:session_key => '_mephisto_session_2',
:secret => '#{ActiveSupport::SecureRandom.hex(40)}'
}
EOD
end
end
Hi,
Is it sure remove + 2 days old session files ?
- df -i
/dev/sda4 294912 240644 54268 82% /opt
I have 179585 session files from 28 - 1 - 2009
Can I setup config/initializers/session_store.rb only adding it, is it necessary any step more ?
Thank you
Sorry for my english
Javier Barroso wrote:
Is it sure remove + 2 days old session files ?
Yes, I have a crontab to remove sessions that are older than 10 hours.
- Status changed from New to Closed
- Target version set to 0.9.0
- Resolution set to Fixed
As of today, current trunk runs with Rails 2.2 and uses cookie store by default.
A rake task that generates a secret was added. Just run it once:
config/initializers/session_store.rb
I just added a second rake task to generate the session_store.rb (it's an alias). There's been a lot of problems with rake config/initializers/session_store.rb, many people think that the session_store.rb file needs to exist before the command can be run.
Also available in: Atom
PDF
Updated by 
Updated by 
Updated by