Feature #2628

Set session store to cookie store by default

Added by micah anderson over 13 years ago. Updated almost 13 years ago.

Status:ClosedStart date:2009-01-30
Priority:NormalDue date:
Assignee:-% Done:


Target version:0.9.0


It was said that in .7 that session store would be set to 'cookie store' by default over in this forum post: http://www.redmine.org/boards/2/topics/show/150

However, the .8 version still has this set in environment.rb:

  # Use the database for sessions instead of the file system
  # (create the session table with 'rake db:sessions:create')
  # config.action_controller.session_store = :active_record_store
  config.action_controller.session_store = :PStore

I'm getting tens of thousands of sessions in my temporary directory daily. I clean them out with tmpreaper, but it seems better to stick them in the cookie store instead.

perhaps there is a reason why this hasn't been set?

Related issues

Duplicated by Redmine - Defect #3441: Too many session files Closed 2009-06-03


#1 Updated by Jean-Philippe Lang over 13 years ago

Setting cookie store by default is not so trivial since it requires a secret.
I never took the time to automate the process of generating a key at the first application start.

#2 Updated by Eric Davis over 13 years ago

Mephisto has a rake task to automatically create a one. It's MIT licensed so we should be able to just use it:


file 'config/initializers/session_store.rb' do
  path = File.join(RAILS_ROOT, 'config', 'initializers', 'session_store.rb')
  File.open(path, 'w') do |f|
    f.write <<"EOD" 
# This file was generated by 'rake config/initializers/session_store.rb',
# and should not be made visible to public.  Do not check it into github!
# If you have a load-balancing Mephisto cluster, you will need to use the
# same version of this file on each machine.  And be sure to restart your
# server when you modify this file.

# Your secret key for verifying cookie session data integrity.  If you
# change this key, all old sessions will become invalid!  Make sure the
# secret is at least 30 characters and all random, no regular words or
# you'll be exposed to dictionary attacks.
ActionController::Base.session = {
  :session_key => '_mephisto_session_2',
  :secret      => '#{ActiveSupport::SecureRandom.hex(40)}'

#3 Updated by Javier Barroso over 13 years ago


Is it sure remove + 2 days old session files ?

  1. df -i
    /dev/sda4 294912 240644 54268 82% /opt

I have 179585 session files from 28 - 1 - 2009

Can I setup config/initializers/session_store.rb only adding it, is it necessary any step more ?

Thank you

Sorry for my english

#4 Updated by Eric Davis over 13 years ago

Javier Barroso wrote:

Is it sure remove + 2 days old session files ?

Yes, I have a crontab to remove sessions that are older than 10 hours.

#5 Updated by Jean-Philippe Lang over 13 years ago

  • Status changed from New to Closed
  • Target version set to 0.9.0
  • Resolution set to Fixed

As of today, current trunk runs with Rails 2.2 and uses cookie store by default.
A rake task that generates a secret was added. Just run it once:


#6 Updated by Javier Barroso over 13 years ago

Thanks Eric (and Jean),

I was thinking it was problem from plugin, see my report at:

#7 Updated by Eric Davis almost 13 years ago

I just added a second rake task to generate the session_store.rb (it's an alias). There's been a lot of problems with rake config/initializers/session_store.rb, many people think that the session_store.rb file needs to exist before the command can be run.

Also available in: Atom PDF