Feature #2628


Set session store to cookie store by default

Added by micah anderson about 15 years ago. Updated about 14 years ago.

Target version:
Start date:
Due date:
% Done:


Estimated time:


It was said that in .7 that session store would be set to 'cookie store' by default over in this forum post:

However, the .8 version still has this set in environment.rb:

  # Use the database for sessions instead of the file system
  # (create the session table with 'rake db:sessions:create')
  # config.action_controller.session_store = :active_record_store
  config.action_controller.session_store = :PStore

I'm getting tens of thousands of sessions in my temporary directory daily. I clean them out with tmpreaper, but it seems better to stick them in the cookie store instead.

perhaps there is a reason why this hasn't been set?

Related issues

Has duplicate Redmine - Defect #3441: Too many session filesClosed2009-06-03

Actions #1

Updated by Jean-Philippe Lang about 15 years ago

Setting cookie store by default is not so trivial since it requires a secret.
I never took the time to automate the process of generating a key at the first application start.

Actions #2

Updated by Eric Davis about 15 years ago

Mephisto has a rake task to automatically create a one. It's MIT licensed so we should be able to just use it:

file 'config/initializers/session_store.rb' do
  path = File.join(RAILS_ROOT, 'config', 'initializers', 'session_store.rb'), 'w') do |f|
    f.write <<"EOD" 
# This file was generated by 'rake config/initializers/session_store.rb',
# and should not be made visible to public.  Do not check it into github!
# If you have a load-balancing Mephisto cluster, you will need to use the
# same version of this file on each machine.  And be sure to restart your
# server when you modify this file.

# Your secret key for verifying cookie session data integrity.  If you
# change this key, all old sessions will become invalid!  Make sure the
# secret is at least 30 characters and all random, no regular words or
# you'll be exposed to dictionary attacks.
ActionController::Base.session = {
  :session_key => '_mephisto_session_2',
  :secret      => '#{ActiveSupport::SecureRandom.hex(40)}'
Actions #3

Updated by Javier Barroso about 15 years ago


Is it sure remove + 2 days old session files ?

  1. df -i
    /dev/sda4 294912 240644 54268 82% /opt

I have 179585 session files from 28 - 1 - 2009

Can I setup config/initializers/session_store.rb only adding it, is it necessary any step more ?

Thank you

Sorry for my english

Actions #4

Updated by Eric Davis about 15 years ago

Javier Barroso wrote:

Is it sure remove + 2 days old session files ?

Yes, I have a crontab to remove sessions that are older than 10 hours.

Actions #5

Updated by Jean-Philippe Lang about 15 years ago

  • Status changed from New to Closed
  • Target version set to 0.9.0
  • Resolution set to Fixed

As of today, current trunk runs with Rails 2.2 and uses cookie store by default.
A rake task that generates a secret was added. Just run it once:

Actions #6

Updated by Javier Barroso almost 15 years ago

Thanks Eric (and Jean),

I was thinking it was problem from plugin, see my report at:

Actions #7

Updated by Eric Davis about 14 years ago

I just added a second rake task to generate the session_store.rb (it's an alias). There's been a lot of problems with rake config/initializers/session_store.rb, many people think that the session_store.rb file needs to exist before the command can be run.


Also available in: Atom PDF