Session stored in ActiveRecored instead of Cookies

The cookie store is not big enough in some cases. In order to solve a CookieOverflow error and maybe track down the underlying issue this patch uses the database instead of cookies to store session data.
2026-03-10 03:30:22 +00:00 · 2015-06-04 15:10:41 +10:00
parent d6c630dad9
commit f88f42283a
4 changed files with 38 additions and 3 deletions
--- a/config/initializers/session_store.rb
+++ b/config/initializers/session_store.rb
@@ -1,8 +1,10 @@
 # Be sure to restart your server when you modify this file.

-Openfoodnetwork::Application.config.session_store :cookie_store, key: '_openfoodnetwork_session'
+# The cookie_store can be too small for very long URLs stored by Devise.
+# The maximum size of cookies is 4096 bytes.
+#Openfoodnetwork::Application.config.session_store :cookie_store, key: '_openfoodnetwork_session'

 # Use the database for sessions instead of the cookie-based default,
 # which shouldn't be used to store highly confidential information
 # (create the session table with "rails generate session_migration")
-# Openfoodnetwork::Application.config.session_store :active_record_store
+Openfoodnetwork::Application.config.session_store :active_record_store
--- a/db/migrate/20150604045725_add_sessions_table.rb
+++ b/db/migrate/20150604045725_add_sessions_table.rb
@@ -0,0 +1,12 @@
+class AddSessionsTable < ActiveRecord::Migration
+  def change
+    create_table :sessions do |t|
+      t.string :session_id, :null => false
+      t.text :data
+      t.timestamps
+    end
+
+    add_index :sessions, :session_id
+    add_index :sessions, :updated_at
+  end
+end
--- a/db/schema.rb
+++ b/db/schema.rb
@@ -11,7 +11,7 @@
 #
 # It's strongly recommended to check this file into your version control system.

-ActiveRecord::Schema.define(:version => 20150603001843) do
+ActiveRecord::Schema.define(:version => 20150604045725) do

  create_table "adjustment_metadata", :force => true do |t|
    t.integer "adjustment_id"
@@ -397,6 +397,16 @@ ActiveRecord::Schema.define(:version => 20150603001843) do
  add_index "product_distributions", ["enterprise_fee_id"], :name => "index_product_distributions_on_enterprise_fee_id"
  add_index "product_distributions", ["product_id"], :name => "index_product_distributions_on_product_id"

+  create_table "sessions", :force => true do |t|
+    t.string   "session_id", :null => false
+    t.text     "data"
+    t.datetime "created_at", :null => false
+    t.datetime "updated_at", :null => false
+  end
+
+  add_index "sessions", ["session_id"], :name => "index_sessions_on_session_id"
+  add_index "sessions", ["updated_at"], :name => "index_sessions_on_updated_at"
+
  create_table "spree_activators", :force => true do |t|
    t.string   "description"
    t.datetime "expires_at"
--- a/spec/requests/large_request_spec.rb
+++ b/spec/requests/large_request_spec.rb
@@ -0,0 +1,11 @@
+# Large requests can fail if Devise tries to store the URL in the session cookie.
+#
+# http://daniel.fone.net.nz/blog/2014/11/28/actiondispatch-cookies-cookieoverflow-via-devise-s-user_return_to/
+require 'spec_helper'
+
+RSpec.describe 'A very large request', type: :request do
+  it 'should not overflow cookies' do
+    get '/admin', foo: 'x' * ActionDispatch::Cookies::SignedCookieJar::MAX_COOKIE_SIZE
+    expect(response).to redirect_to 'http://www.example.com/#login?after_login=/admin'
+  end
+end