Feature #2628
closed
Set session store to cookie store by default
Description
It was said that in .7 that session store would be set to 'cookie store' by default over in this forum post: http://www.redmine.org/boards/2/topics/show/150
However, the .8 version still has this set in environment.rb:
# Use the database for sessions instead of the file system # (create the session table with 'rake db:sessions:create') # config.action_controller.session_store = :active_record_store config.action_controller.session_store = :PStore
I'm getting tens of thousands of sessions in my temporary directory daily. I clean them out with tmpreaper, but it seems better to stick them in the cookie store instead.
perhaps there is a reason why this hasn't been set?
Related issues
Updated by Jean-Philippe Lang about 17 years ago
Setting cookie store by default is not so trivial since it requires a secret.
I never took the time to automate the process of generating a key at the first application start.
Updated by Eric Davis about 17 years ago
Mephisto has a rake task to automatically create a one. It's MIT licensed so we should be able to just use it:
file 'config/initializers/session_store.rb' do
path = File.join(RAILS_ROOT, 'config', 'initializers', 'session_store.rb')
File.open(path, 'w') do |f|
f.write <<"EOD"
# This file was generated by 'rake config/initializers/session_store.rb',
# and should not be made visible to public. Do not check it into github!
# If you have a load-balancing Mephisto cluster, you will need to use the
# same version of this file on each machine. And be sure to restart your
# server when you modify this file.
# Your secret key for verifying cookie session data integrity. If you
# change this key, all old sessions will become invalid! Make sure the
# secret is at least 30 characters and all random, no regular words or
# you'll be exposed to dictionary attacks.
ActionController::Base.session = {
:session_key => '_mephisto_session_2',
:secret => '#{ActiveSupport::SecureRandom.hex(40)}'
}
EOD
end
end
Updated by Javier Barroso about 17 years ago
Hi,
Is it sure remove + 2 days old session files ?
- df -i
/dev/sda4 294912 240644 54268 82% /opt
I have 179585 session files from 28 - 1 - 2009
Can I setup config/initializers/session_store.rb only adding it, is it necessary any step more ?
Thank you
Sorry for my english
Updated by Eric Davis about 17 years ago
Javier Barroso wrote:
Is it sure remove + 2 days old session files ?
Yes, I have a crontab to remove sessions that are older than 10 hours.
Updated by Jean-Philippe Lang about 17 years ago
- Status changed from New to Closed
- Target version set to 0.9.0
- Resolution set to Fixed
As of today, current trunk runs with Rails 2.2 and uses cookie store by default.
A rake task that generates a secret was added. Just run it once:
config/initializers/session_store.rb
Updated by Javier Barroso almost 17 years ago
Thanks Eric (and Jean),
I was thinking it was problem from plugin, see my report at:
http://sourceforge.net/tracker/index.php?func=detail&aid=2636633&group_id=228995&atid=1075435
Updated by Eric Davis about 16 years ago
I just added a second rake task to generate the session_store.rb (it's an alias). There's been a lot of problems with rake config/initializers/session_store.rb, many people think that the session_store.rb file needs to exist before the command can be run.