class ActionDispatch::Session::CookieStore
:httponly.
Other useful options include :key, :secure and
would set the session cookie to expire automatically 14 days after creation.
Rails.application.config.session_store :cookie_store, expire_after: 14.days
is generated. For example:
options described there can be used to customize the session cookie that
Because CookieStore extends Rack::Session::Abstract::Persisted, many of the
Note that changing the secret key will invalidate all existing sessions!
JavaScript before upgrading.
decode signed cookies generated by your app in external applications or
you should take care to make sure you are not relying on the ability to
reasonably sure that your upgrade is otherwise complete. Additionally,
new secret_key_base, and ignore the deprecation warnings until you are
You are free to leave your existing secret_token in place, not set the
secret_key_base in Rails 4 are not backwards compatible with Rails 3.
rollback to Rails 3. This is because cookies signed based on the new
your userbase on Rails 4 and are reasonably sure you will not need to
Note that you should wait to set secret_key_base until you have 100% of
existing secret_token in place and simply add the new secret_key_base.
If you are upgrading an existing Rails 3 app, you should leave your
To generate a secret key for an existing application, run ‘rails secret`.
secret_key_base: ’secret key’
development:
Configure your secret key in config/secrets.yml:
Rails.application.config.session_store :cookie_store, key: ‘_your_app_session’
Configure your session store in config/initializers/session_store.rb:
transparently read and encrypted to provide a smooth upgrade path.
be encrypted, and signed cookies generated by Rails 3 will be
If you have both secret_token and secret_key_base set, your cookies will
be altered or read by users. This is the default starting in Rails 4.
goes a step further than signed cookies in that encrypted cookies cannot
If you have secret_key_base set, your cookies will be encrypted. This
was the default for Rails 3 apps.
knowing your app’s secret key, but can easily read their user_id. This
not encrypted. This means a user cannot alter their user_id without
If you only have secret_token set, your cookies will be signed, but
best possible option given your application’s configuration.
The cookie jar used for storage is automatically configured to be the
you attempt to store more than 4K of data.
within the 4K cookie size limit. A CookieOverflow exception is raised if
Sessions typically contain at most a user_id and flash message; both fit
dramatically faster than the alternatives.
This cookie-based session store is the Rails default. It is
def cookie_jar(request)
def cookie_jar(request) request.cookie_jar.signed_or_encrypted end
def delete_session(req, session_id, options)
def delete_session(req, session_id, options) new_sid = generate_sid unless options[:drop] # Reset hash and Assign the new session id req.set_header("action_dispatch.request.unsigned_session_cookie", new_sid ? { "session_id" => new_sid } : {}) new_sid end
def extract_session_id(req)
def extract_session_id(req) stale_session_check! do unpacked_cookie_data(req)["session_id"] end end
def get_cookie(req)
def get_cookie(req) cookie_jar(req)[@key] end
def initialize(app, options={})
def initialize(app, options={}) super(app, options.merge!(:cookie_only => true)) end
def load_session(req)
def load_session(req) stale_session_check! do data = unpacked_cookie_data(req) data = persistent_session_id!(data) [data["session_id"], data] end end
def persistent_session_id!(data, sid=nil)
def persistent_session_id!(data, sid=nil) data ||= {} data["session_id"] ||= sid || generate_sid data end
def set_cookie(request, session_id, cookie)
def set_cookie(request, session_id, cookie) cookie_jar(request)[@key] = cookie end
def unpacked_cookie_data(req)
def unpacked_cookie_data(req) req.fetch_header("action_dispatch.request.unsigned_session_cookie") do |k| v = stale_session_check! do if data = get_cookie(req) data.stringify_keys! end data || {} end req.set_header k, v end end
def write_session(req, sid, session_data, options)
def write_session(req, sid, session_data, options) session_data["session_id"] = sid session_data end