class ActionDispatch::Session::CookieStore
:httponly, and :same_site.
Other useful options include :key, :secure,
would set the session cookie to expire automatically 14 days after creation.
Rails.application.config.session_store :cookie_store, expire_after: 14.days
is generated. For example:
options described there can be used to customize the session cookie that
Because CookieStore extends Rack::Session::Abstract::Persisted, many of the
applications or JavaScript before changing it.
ability to decode signed cookies generated by your app in external
Additionally, you should take care to make sure you are not relying on the
Note that changing your secret_key_base will invalidate all existing session.
will be found in the old config/secrets.yml file.
If your application was not updated to Rails 5.2 defaults, the secret_key_baseconfig/credentials.yml.enc file.
In all other environments, it is stored encrypted in the
generated by Rails and stored in a temporary file in tmp/local_secret.txt.
In the development and test environments your application’s secret_key_base is
Rails.application.config.session_store :cookie_store, key: ‘_your_app_session’
Configure your session store in an initializer:
be altered or read by users. This is the default starting in Rails 4.
goes a step further than signed cookies in that encrypted cookies cannot
Your cookies will be encrypted using your application’s secret_key_base. This
best possible option given your application’s configuration.
The cookie jar used for storage is automatically configured to be the
you attempt to store more than 4096 bytes of data.
within the 4096 bytes cookie size limit. A CookieOverflow exception is raised if
Sessions typically contain at most a user ID and flash message; both fit
dramatically faster than the alternatives.
This cookie-based session store is the Rails default. It is
= Action Dispatch Session CookieStore
def cookie_jar(request)
def cookie_jar(request) request.cookie_jar.signed_or_encrypted end
def delete_session(req, session_id, options)
def delete_session(req, session_id, options) new_sid = generate_sid unless options[:drop] # Reset hash and Assign the new session id req.set_header("action_dispatch.request.unsigned_session_cookie", new_sid ? { "session_id" => new_sid.public_id } : {}) new_sid end
def extract_session_id(req)
def extract_session_id(req) stale_session_check! do sid = unpacked_cookie_data(req)["session_id"] sid && Rack::Session::SessionId.new(sid) end end
def get_cookie(req)
def get_cookie(req) cookie_jar(req)[@key] end
def initialize(app, options = {})
def initialize(app, options = {}) options[:cookie_only] = true options[:same_site] = DEFAULT_SAME_SITE if !options.key?(:same_site) super end
def load_session(req)
def load_session(req) stale_session_check! do data = unpacked_cookie_data(req) data = persistent_session_id!(data) [Rack::Session::SessionId.new(data["session_id"]), data] end end
def persistent_session_id!(data, sid = nil)
def persistent_session_id!(data, sid = nil) data ||= {} data["session_id"] ||= sid || generate_sid.public_id data end
def set_cookie(request, session_id, cookie)
def set_cookie(request, session_id, cookie) cookie_jar(request)[@key] = cookie end
def unpacked_cookie_data(req)
def unpacked_cookie_data(req) req.fetch_header("action_dispatch.request.unsigned_session_cookie") do |k| v = stale_session_check! do if data = get_cookie(req) data.stringify_keys! end data || {} end req.set_header k, v end end
def write_session(req, sid, session_data, options)
def write_session(req, sid, session_data, options) session_data["session_id"] = sid.public_id SessionId.new(sid, session_data) end