Rails 3 additional session configuration options (key, expires_after, secure) - ruby-on-rails

Can someone point out what the new Rails 3.x session configuration options are?
I'm trying to duplicate the same configuration that I have in my Rails 2.3.x application.
This is the configuration that I used in the application:
#environment.rb
config.action_controller.session_store = :active_record_store
config.action_controller.session = {
:key => '_something', #non-secure for development
:secret => 'really long random string'
}
# production.rb - override environment.rb for production
config.action_controller.session = {
:key => '_something_secure',
:secret => 'really long random string',
:expire_after => 60*60,#time in seconds
:secure => true #The session will now not be sent or received on HTTP requests.
}
However, in Rails 3.x, I can only find mention of the following:
AppName::Application.config.session_store :active_record_store
AppName::Application.config.secret_token = 'really long random string'
AppName::Application.config.cookie_secret = 'another really long random string'
Are there other config settings to control the key, expire_after time, and secure option?
Regarding the latter, if "config.force_ssl = true" is set in production.rb, I assume the secure option is no longer required?
Thanks very much!

You now configure the Cookie-based session store through an initializer, probably in config/initializers/session_store.rb. In Rails 3 the session store is a piece of middleware, and the configuration options are passed in with a single call to config.session_store:
Your::Application.config.session_store :cookie_store, :key => '_session'
You can put any extra options you want in the hash with :key, e.g.
Your::Application.config.session_store :cookie_store, {
:key => '_session_id',
:path => '/',
:domain => nil,
:expire_after => nil,
:secure => false,
:httponly => true,
:cookie_only => true
}
(Those are just the standard defaults)
If you force SSL in production then setting secure on the cookie shouldn't really make a difference in practice, but you might want to set it just to be on the safe side...
Your::Application.config.session_store :cookie_store, {
:key => '_session_id',
:secure => Rails.env.production?
}

Related

Sessions never expire in rails 3.2

My sessions seem to never expire, even though I configured my session_store.rb file to have this code:
Barcadia::Application.config.session_store :cookie_store,
:key => '_barcadia_session',
:expire_after => 15.minutes
I want users to have to re-login if they have been idle for more than 15 minutes. I am using rails 3.2 and I've tried both cookie_store and active_record_store... Nothing seems to work.
The only thing i see missing are the brackets:
Barcadia::Application.config.session_store :cookie_store, {
:key => '_barcadia_session',
:expire_after => 15.minutes
}
Some::Application.config.session_store :active_record_store, {
expire_after: 24.hours,
}
this worked for me

With Dalli, what do you set for Key & Secret?

In the docs:
https://github.com/mperham/dalli
You set:
# Session cache / Memcache
ActionController::Base.session = {
:namespace => 'sessions',
:expire_after => 20.minutes.to_i,
:memcache_server => ['server-1:11211', 'server-2:11211'],
:key => ...,
:secret => ...
}
What do you set for Key and Secret?
Thanks
I presume you are configuring Dalli as your session store.
For the secret token, you can use the token that you would have already specified in config/initializers/secret_token.rb Or you can use random text like :secret => "extraterrestrialactivityfoundinbermudatriangle"
As for the key, it would normally contain your app name :key => "_my_app_name_session"

With Rails and Devise, how do I set the cookie properties if I'm using ActiveRecord store?

In myapp/config/initializers/session_store.rb, I have the following:
Myapp::Application.config.session_store :cookie_store, :key => '_myapp_session', :domain => :all
The :key option sets the name to use for the cookie, and :domain => :all says that the cookie can be shared across subdomains.
Now I want to move to using ActiveRecord to store the session. If I do this:
Myapp::Application.config.session_store :active_record_store
... although the session is stored in the database, there is still, of course, a cookie. But I no longer have control over its name or scope.
How can I use ActiveRecord store for the session and still specify the cookie name and domain?
Figured it out
It's very simple, actually:
Myapp::Application.config.session_store :active_record_store, :key => '_myapp_session', :domain => :all

Rails: how can I share permanent cookies across multiple subdomains?

My app's register and login processes take place on a secure subdomain. For this reason, I have modified config/initializers/session_store.rb to look like
if Rails.env.production?
AppName::Application.config.session_store :cookie_store, :key => '_app_name_session', :domain => '.app_name.com'
else
AppName::Application.config.session_store :cookie_store, :key => '_app_name_session'
end
so that the session can be shared across sub domains.
How can I share permanent cookies accross subdomains so that when I set a permanent cookie
on one subdomain via cookies.permanent[:some_key] = 'some value', I can access that cookie on another subdomain via cookies[:some_key]?
You need to specify the domain using a more verbose cookie setting method:
cookies[:some_cookie] = {
:value => "whatever",
:domain => ".app_name.com",
:expires => 1.year.from_now.utc
}
I haven't found a configuration setting to do this globally yet.

Rails 3: Can't seem to write cookies for top level domain :(

I setup the cookie store to domain => :all, like I could find in documentation and it seems to work, because devise's authentication works across the multiple domain.
MyApp::Application.config.session_store :cookie_store, :key => '_MyApp.com_session', :domain => :all
However when I am trying myself to write to a cookie, it always write down the sub domain... I don't get it:
I write the cookie in the simplest manner possible:
cookies.permanent[:remember_locale] = locale
But no matter what it won't set it for the top level domain whereas the one dropped by devise seems to manage it without a problem :(
Alex
ps: I am using rails 3.0.3
The configuration for the session_store only applies to the session cookie. When setting a separate cookie you have to specify the domain for that cookie as well.
cookies.permanent[:remember_locale] = { :value => locale, :domain => :all }
Note (pulled from rails source):
# Please note that if you specify a :domain when setting a cookie, you must also specify the domain when deleting the cookie:
#
# cookies[:key] = {
# :value => 'a yummy cookie',
# :expires => 1.year.from_now,
# :domain => 'domain.com'
# }
#
# cookies.delete(:key, :domain => 'domain.com')

Resources