diff --git a/config/initializers/session_store.rb b/config/initializers/session_store.rb index 721e495265..d301b88739 100644 --- a/config/initializers/session_store.rb +++ b/config/initializers/session_store.rb @@ -1,8 +1,10 @@ # Be sure to restart your server when you modify this file. -Openfoodnetwork::Application.config.session_store :cookie_store, key: '_openfoodnetwork_session' +# The cookie_store can be too small for very long URLs stored by Devise. +# The maximum size of cookies is 4096 bytes. +#Openfoodnetwork::Application.config.session_store :cookie_store, key: '_openfoodnetwork_session' # Use the database for sessions instead of the cookie-based default, # which shouldn't be used to store highly confidential information # (create the session table with "rails generate session_migration") -# Openfoodnetwork::Application.config.session_store :active_record_store +Openfoodnetwork::Application.config.session_store :active_record_store diff --git a/db/migrate/20150604045725_add_sessions_table.rb b/db/migrate/20150604045725_add_sessions_table.rb new file mode 100644 index 0000000000..4c879564a5 --- /dev/null +++ b/db/migrate/20150604045725_add_sessions_table.rb @@ -0,0 +1,12 @@ +class AddSessionsTable < ActiveRecord::Migration + def change + create_table :sessions do |t| + t.string :session_id, :null => false + t.text :data + t.timestamps + end + + add_index :sessions, :session_id + add_index :sessions, :updated_at + end +end diff --git a/db/schema.rb b/db/schema.rb index e58d74c220..51fe2cd0e4 100644 --- a/db/schema.rb +++ b/db/schema.rb @@ -11,7 +11,7 @@ # # It's strongly recommended to check this file into your version control system. -ActiveRecord::Schema.define(:version => 20150603001843) do +ActiveRecord::Schema.define(:version => 20150604045725) do create_table "adjustment_metadata", :force => true do |t| t.integer "adjustment_id" @@ -397,6 +397,16 @@ ActiveRecord::Schema.define(:version => 20150603001843) do add_index "product_distributions", ["enterprise_fee_id"], :name => "index_product_distributions_on_enterprise_fee_id" add_index "product_distributions", ["product_id"], :name => "index_product_distributions_on_product_id" + create_table "sessions", :force => true do |t| + t.string "session_id", :null => false + t.text "data" + t.datetime "created_at", :null => false + t.datetime "updated_at", :null => false + end + + add_index "sessions", ["session_id"], :name => "index_sessions_on_session_id" + add_index "sessions", ["updated_at"], :name => "index_sessions_on_updated_at" + create_table "spree_activators", :force => true do |t| t.string "description" t.datetime "expires_at" diff --git a/spec/requests/large_request_spec.rb b/spec/requests/large_request_spec.rb new file mode 100644 index 0000000000..16fa4ce679 --- /dev/null +++ b/spec/requests/large_request_spec.rb @@ -0,0 +1,11 @@ +# Large requests can fail if Devise tries to store the URL in the session cookie. +# +# http://daniel.fone.net.nz/blog/2014/11/28/actiondispatch-cookies-cookieoverflow-via-devise-s-user_return_to/ +require 'spec_helper' + +RSpec.describe 'A very large request', type: :request do + it 'should not overflow cookies' do + get '/admin', foo: 'x' * ActionDispatch::Cookies::SignedCookieJar::MAX_COOKIE_SIZE + expect(response).to redirect_to 'http://www.example.com/#login?after_login=/admin' + end +end