Feature #2628
Set session store to cookie store by default
| Status: | Closed | Start: | 2009-01-30 | |
|---|---|---|---|---|
| Priority: | Normal | Due date: | ||
| Assigned to: | - | % Done: | 0% |
|
| Category: | - | |||
| Target version: | 0.9.0 | |||
| Resolution: | Fixed |
Description
It was said that in .7 that session store would be set to 'cookie store' by default over in this forum post: http://www.redmine.org/boards/2/topics/show/150
However, the .8 version still has this set in environment.rb:
# Use the database for sessions instead of the file system # (create the session table with 'rake db:sessions:create') # config.action_controller.session_store = :active_record_store config.action_controller.session_store = :PStore
I'm getting tens of thousands of sessions in my temporary directory daily. I clean them out with tmpreaper, but it seems better to stick them in the cookie store instead.
perhaps there is a reason why this hasn't been set?
History
Updated by Jean-Philippe Lang over 1 year ago
Setting cookie store by default is not so trivial since it requires a secret.
I never took the time to automate the process of generating a key at the first application start.
Updated by Eric Davis over 1 year ago
Mephisto has a rake task to automatically create a one. It's MIT licensed so we should be able to just use it:
1 file 'config/initializers/session_store.rb' do
2 path = File.join(RAILS_ROOT, 'config', 'initializers', 'session_store.rb')
3 File.open(path, 'w') do |f|
4 f.write <<"EOD"
5 # This file was generated by 'rake config/initializers/session_store.rb',
6 # and should not be made visible to public. Do not check it into github!
7 # If you have a load-balancing Mephisto cluster, you will need to use the
8 # same version of this file on each machine. And be sure to restart your
9 # server when you modify this file.
10
11 # Your secret key for verifying cookie session data integrity. If you
12 # change this key, all old sessions will become invalid! Make sure the
13 # secret is at least 30 characters and all random, no regular words or
14 # you'll be exposed to dictionary attacks.
15 ActionController::Base.session = {
16 :session_key => '_mephisto_session_2',
17 :secret => '#{ActiveSupport::SecureRandom.hex(40)}'
18 }
19 EOD
20 end
21 end
Updated by Javier Barroso over 1 year ago
Hi,
Is it sure remove + 2 days old session files ?
- df -i
/dev/sda4 294912 240644 54268 82% /opt
I have 179585 session files from 28 - 1 - 2009
Can I setup config/initializers/session_store.rb only adding it, is it necessary any step more ?
Thank you
Sorry for my english
Updated by Eric Davis over 1 year ago
Javier Barroso wrote:
Is it sure remove + 2 days old session files ?
Yes, I have a crontab to remove sessions that are older than 10 hours.
Updated by Jean-Philippe Lang over 1 year ago
- Status changed from New to Closed
- Target version set to 0.9.0
- Resolution set to Fixed
As of today, current trunk runs with Rails 2.2 and uses cookie store by default.
A rake task that generates a secret was added. Just run it once:
config/initializers/session_store.rbUpdated by Javier Barroso over 1 year ago
Thanks Eric (and Jean),
I was thinking it was problem from plugin, see my report at:
http://sourceforge.net/tracker/index.php?func=detail&aid=2636633&group_id=228995&atid=1075435
Updated by Eric Davis 7 months ago
I just added a second rake task to generate the session_store.rb (it's an alias). There's been a lot of problems with rake config/initializers/session_store.rb, many people think that the session_store.rb file needs to exist before the command can be run.