Rails 3 additional session configuration options (key, expires_after, secure)

Question

Can someone point out what the new Rails 3.x session configuration options are?

I'm trying to duplicate the same configuration that I have in my Rails 2.3.x application.

This is the configuration that I used in the application:

#environment.rb
config.action_controller.session_store = :active_record_store

config.action_controller.session = {
    :key         => '_something', #non-secure for development
    :secret      => 'really long random string'
  }


# production.rb - override environment.rb for production
config.action_controller.session = {
  :key            => '_something_secure',
  :secret         => 'really long random string',
  :expire_after   => 60*60,#time in seconds
  :secure         => true #The session will now not be sent or received on HTTP requests.
}

However, in Rails 3.x, I can only find mention of the following:

AppName::Application.config.session_store :active_record_store

AppName::Application.config.secret_token = 'really long random string'

AppName::Application.config.cookie_secret = 'another really long random string'

Are there other config settings to control the key, expire_after time, and secure option?

Regarding the latter, if "config.force_ssl = true" is set in production.rb, I assume the secure option is no longer required?

Thanks very much!

Expiry: http://stackoverflow.com/questions/5860950/setting-session-timeout-in-rails-3 — mu is too short, Jun 18 '11 at 18:10
Secure: http://stackoverflow.com/questions/72242/how-do-i-set-the-httponly-flag-on-cookie-in-rails — mu is too short, Jun 18 '11 at 18:12

score 40 · Accepted Answer · answered Feb 14 '12 at 13:16

40

You now configure the Cookie-based session store through an initializer, probably in config/initializers/session_store.rb. In Rails 3 the session store is a piece of middleware, and the configuration options are passed in with a single call to config.session_store:

Your::Application.config.session_store :cookie_store, :key => '_session'

You can put any extra options you want in the hash with :key, e.g.

Your::Application.config.session_store :cookie_store, {
  :key =>           '_session_id',
  :path =>          '/',
  :domain =>        nil,
  :expire_after =>  nil,
  :secure =>        false,
  :httponly =>      true,
  :cookie_only =>   true
}

(Those are just the standard defaults)

If you force SSL in production then setting secure on the cookie shouldn't really make a difference in practice, but you might want to set it just to be on the safe side...

Your::Application.config.session_store :cookie_store, {
  :key =>           '_session_id',
  :secure =>        Rails.env.production?
}

answered Feb 14 '12 at 13:16

fidothe

640
7
10

Looks like that does it! Thanks for this! – shedd Feb 18 '12 at 16:38
2

And also, just to clarify, it appears that these options work on the active_record session store, too. I noted that the code samples in the above are coded for the cookie store, but I tried these with active_record store (which was what the question asked about) and the options appear to take effect. – shedd Feb 18 '12 at 16:40
Debugging for an old project, thanks for saving my time. – Hailong Cao Jan 26 '16 at 02:55
Is the :key argument required if the session_store is active_record ? At present I am migrating from 3.0 to 3.2 and rails guide says to change that key http://edgeguides.rubyonrails.org/upgrading_ruby_on_rails.html#config-initializers-session-store-rb . Is the value of key argument anyway related to secret_token? – raj454raj Jun 03 '16 at 09:41

Rails 3 additional session configuration options (key, expires_after, secure)

1 Answers1

Linked