I'm using active_record_store for sessions:
session_store.rb:
Rails.application.config.session_store :active_record_store
I have code for reading/parsing the session data for logging purposes.
When the user logs into the ui, I get a new record in the sessions table, with a session_id like:
2::cbd180f1b721cc89d70e417661cf43c83f34d1c967a76daf14ca77db094a423a
But in my controller, when I look at cookies['_session_id'], I get:
eac9bd2420e0f5dbdfc22654df3b78dc
What is causing the discrepancy?
For anyone who runs into this, I found the answer in the rack gem, file lib/rack/session/abstract/id.rb.
The code refers to a public session id, which is the one in the cookie.
The private session id is:
"2::#{Digest::SHA256.hexdigest(public_session_id)}"
Related
I'm using Rails 4.2.2 (with Devise 3.4.1) and am changing the cookie_store domain from www.boundless.dev to .boundless.dev in order to share the same session across all of our subdomains (single sign-on).
Boundless::Application.config.session_store :cookie_store, key: '_boundless_session', domain: '.boundless.dev'
If I make this change alone. Existing logged-in users who return to the site will end up with 2 _boundless_session cookies, one with domain boundless.dev and the other with www.boundless.dev. Somehow this makes logging out impossible.
Is it possible to make this change without logging all users out of the site?
I thought that I'd be able to write a method as a before_filter in my ApplicationController to delete the session cookie and replace it with a new one at .boundless.dev, but it doesn't work, and I suspect it has something to do with the remember_user_token cookie.
def update_session_cookie_domain
session_cookie = cookies['_boundless_session']
cookies.delete('_boundless_session', domain: 'www.boundless.dev')
cookies['_boundless_session'] = {
value: session_cookie,
domain: '.boundless.dev'
}
end
I was able to solve this problem by changing the cookie name used for the session.
So the original config was:
Boundless::Application.config.session_store :cookie_store, key: '_boundless_session', domain: 'www.boundless.dev'
And I changed it to:
Boundless::Application.config.session_store :cookie_store, key: '_boundless_session_NEW', domain: '.boundless.dev'
I expected this to log users out, but it doesn't for some reason that I don't quite understand.
Unfortunately, I've yet to find a way to clear the old _boundless_session cookie, but at least now I can log out after having my session cookie updated to the more general domain.
Im developing ruby on rails application. I want to get the persistent cookie value and session cookie value in the application. Can any please guide me on this
I have read that request.session_options[:id] will fetch the session_id, is that the one that is usually stored in session cookie? Please guide me if my way of understanding is wrong.Thanks in advance
In Rails, it is simple as calling the session or cookies hash.
# Set a simple session cookie
cookies[:user_name] = "david"
# Read a cookie
cookies[:user_name] # => "david"
# Delete a key
cookies.delete :user_name
The same goes for session.
So, the information that you are looking for is probably inside one of these two.
Take a look at the examples at http://www.tutorialspoint.com/ruby-on-rails/rails-session-cookies.htm
My site is a single page rails app that interacts with a rails api. I recently added an api endpoint that allows a user to log out via ajax.
class Api::SessionsController < Api::ApplicationController
...
# DELETE /api/sessions/destroy
def destroy
session.delete(:user_id)
render json: { success: true }
end
...
end
This endpoint was working fine until I altered my session store to keep the session around when a user quits their browser.
config/initializers/session_store.rb diff:
AppName::Application.config.session_store :cookie_store,
- key: session_key, domain: TOP_LEVEL_DOMAIN
+ key: session_key, domain: TOP_LEVEL_DOMAIN, expire_after: 1.month
Now, after hitting my sessions#destroy endpoint via ajax, reloading the page logs the user back in, and still has the user_id in the session.
My guess is that the browser's cookie is not being overwritten by the DELETE ajax request (like it was before I added the expire_after parameter), but this is very tough to verify because the stored cookie is encrypted.
Does anyone have any solution ideas or debugging paths?
Does anyone know what is happening here?
When you set :expire_after to set the expiration of the cookie, it causes the cookie to persist to the given date even when the browser is closed. This means that when you change something in the session of Rails, you have to update the cookie. The simplest to way to achieve that is recreating the cookie.
Please don't bit my for my misunderstanding.
The sessions are very new for me, and i have some problems.
Okay i read many information about sessions and especially rails session. But this don't give me right imagine about sessions.
Did i understand right, when users send request to server (get) -> Server create a new session (and store this some file in hard drive with session id), session id -> is a random generated num? so, server create a new session (and store session on drive) after this server send back answer to client and set session_id in cookies?
Ok, i debug some params and see some results:
debug(session):
{:_csrf_token=>"jeONIfNxFmnpDn/xt6I0icNK1m3EB3CzT9KMntNk7KU=", :session_id=>"06c5628155efaa6446582c491499af6d", "flash"=>{}}
debug(cookies):
{"remember_user_token"=>"1::3GFRFyXb83lffzwPDPQd", "_blog_session"=>"BAh7CDoQX2NzcmZfdG9rZW4iMWplT05JZk54Rm1ucERuL3h0NkkwaWNOSzFtM0VCM0N6VDlLTW50Tms3S1U9Og9zZXNzaW9uX2lkIiUwNmM1NjI4MTU1ZWZhYTY0NDY1ODJjNDkxNDk5YWY2ZCIKZmxhc2hJQzonQWN0aW9uQ29udHJvbGxlcjo6Rmxhc2g6OkZsYXNoSGFzaHsABjoKQHVzZWR7AA==--348c88b594e98f4bf6389d94383134fbe9b03095"}
Okay, i know, what _csrf_token helps to prevent csrf.
session_id -> is id of the session which stored on hard drive (by default)
but what is _blog_session in cookies?
also, remeber_user_token containes my id (1::*) and what about second part, what is it?
Sorry for this stupid questions, i know what i can easy use any nice auth-plugins (authlogic/clearance/devise), but i want to fully understand sessions.
Thank you.
(also sorry for my english, this is not my native language)
remember_user_token is probably set by your authentication plugin, it is encrypted string, which is stored in users table and is used to authenticate him. Details can vary between plugins.
Second part: you are probably using cookie based session store (it is default),
So, _blog_session stores your encrypted session data.
More about cookie based sessions here and here.
The name "_blog_session" is set in config/initializers/session_store.rb
It looks like:
# Your secret key for verifying cookie session data integrity.
# If you change this key, all old sessions will become invalid!
# Make sure the secret is at least 30 characters and all random,
# no regular words or you'll be exposed to dictionary attacks.
ActionController::Base.session = {
:key => '_blogs_session',
:secret => '07fb6f0d41af4ae06aebb1696fcbb5a5398d4a08570744a4cd53ff237020c43a2022b4041d617d95bcf3f5c4601c7e6c1646eecfc157cc200e7dfedd7d7c6813'
}
I have a rails app that has the following content in the config/initializers/session_store.rb file:
ActionController::Base.session = {
:key => '_app_session',
:secret => 'a really long string here',
:expire_after => 2.minutes
}
ActionController::Base.session_store = :active_record_store
So during normal operations we are seeing ActiveRecord objects created in the database for each session. The issue is that we don't always want to create a session for requests - we'd like to be able to turn off session creation for automated requests. We are seeing thousands of session records in the database, one for each automated request. Prior to rails 2.3.3, the following was possible:
class ApplicationController < ActionController::Base
session :off
...
end
but now in rails 2.3.3 "session :off" has been deprecated because sessions are now lazy-loaded - if you don't use them, they are not created. The problem seems to be that the session object is always assigned in the sessionstore.rb file, and therefore always created. If I remove the session assignment block from the config file, then no session records appear after an automated request. My question is, how can I move the configuration assignments to the session hash out of session_store.rb and into the ApplicationController class (or elsewhere) where the session can be conditionally assigned only if a request is not automated? I'm concerned that the session config data may be needed before the controller handler is executed. Where would I put the assignment of the session key values?
Thanks in advance for any help.
The config/initializers are one-time configurations, they usually only ran once, on startup. According to the documentation, the lazy loading will only initialize the session if the "session" object is touched during a request.
Are you certain that you don't touch the session variable at all in your request cycle? (That is, in the filters, actions, helpers or templates). Also, do the session objects have some content that could tip you of as to where they were created?
sorry for the "late" answer but I think is relevant for people landing here.
was struggling with similar issues ever since session :off was removed from Rails.
I decide to "back-port" it for Rails 2.3+ as a plugin https://github.com/kares/session_off