Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Browse files

Merge pull request #7436 from sikachu/master-remove-active_record-ses…

…sion_store

Extract ActiveRecord::SessionStore from Rails
  • Loading branch information...
commit 73c02220f83cfb181ccf99db0451983324e28804 2 parents 2c571b3 + 1807384
@josevalim josevalim authored
Showing with 41 additions and 976 deletions.
  1. +4 −0 actionpack/CHANGELOG.md
  2. +0 −9 actionpack/lib/action_controller/base.rb
  3. +0 −288 actionpack/test/activerecord/active_record_store_test.rb
  4. +3 −0  activerecord/CHANGELOG.md
  5. +0 −11 activerecord/lib/active_record.rb
  6. +0 −15 activerecord/lib/active_record/railties/databases.rake
  7. +0 −365 activerecord/lib/active_record/session_store.rb
  8. +0 −24 activerecord/lib/rails/generators/active_record/session_migration/session_migration_generator.rb
  9. +0 −12 activerecord/lib/rails/generators/active_record/session_migration/templates/migration.rb
  10. +0 −81 activerecord/test/cases/session_store/session_test.rb
  11. +0 −75 activerecord/test/cases/session_store/sql_bypass_test.rb
  12. +0 −5 guides/code/getting_started/config/initializers/session_store.rb
  13. +2 −0  guides/source/4_0_release_notes.textile
  14. +2 −2 guides/source/action_controller_overview.textile
  15. +3 −7 guides/source/active_support_core_extensions.textile
  16. +1 −9 guides/source/configuring.textile
  17. +1 −3 guides/source/security.textile
  18. +6 −1 railties/lib/rails/application/configuration.rb
  19. +0 −1  railties/lib/rails/generators.rb
  20. +0 −5 railties/lib/rails/generators/rails/app/templates/config/initializers/session_store.rb.tt
  21. +0 −8 railties/lib/rails/generators/rails/session_migration/USAGE
  22. +0 −8 railties/lib/rails/generators/rails/session_migration/session_migration_generator.rb
  23. +19 −0 railties/test/application/configuration_test.rb
  24. +0 −20 railties/test/application/initializers/frameworks_test.rb
  25. +0 −27 railties/test/generators/session_migration_generator_test.rb
View
4 actionpack/CHANGELOG.md
@@ -1,5 +1,9 @@
## Rails 4.0.0 (unreleased) ##
+* `ActiveRecord::SessionStore` is extracted out of Rails into a gem `activerecord-session_store`.
+ Setting `config.session_store` to `:active_record_store` will no longer work and will break
+ if the `activerecord-session_store` gem isn't available. *Prem Sichanugrist*
+
* Fix select_tag when option_tags is nil.
Fixes #7404.
View
9 actionpack/lib/action_controller/base.rb
@@ -88,15 +88,6 @@ module ActionController
#
# Do not put secret information in cookie-based sessions!
#
- # Other options for session storage:
- #
- # * ActiveRecord::SessionStore - Sessions are stored in your database, which works better than PStore with multiple app servers and,
- # unlike CookieStore, hides your session contents from the user. To use ActiveRecord::SessionStore, set
- #
- # MyApplication::Application.config.session_store :active_record_store
- #
- # in your <tt>config/initializers/session_store.rb</tt> and run <tt>script/rails g session_migration</tt>.
- #
# == Responses
#
# Each action results in a response, which holds the headers and document to be sent to the user's browser. The actual response
View
288 actionpack/test/activerecord/active_record_store_test.rb
@@ -1,288 +0,0 @@
-require 'active_record_unit'
-
-class ActiveRecordStoreTest < ActionDispatch::IntegrationTest
- class TestController < ActionController::Base
- def no_session_access
- head :ok
- end
-
- def set_session_value
- raise "missing session!" unless session
- session[:foo] = params[:foo] || "bar"
- head :ok
- end
-
- def get_session_value
- render :text => "foo: #{session[:foo].inspect}"
- end
-
- def get_session_id
- render :text => "#{request.session_options[:id]}"
- end
-
- def call_reset_session
- session[:foo]
- reset_session
- reset_session if params[:twice]
- session[:foo] = "baz"
- head :ok
- end
-
- def renew
- env["rack.session.options"][:renew] = true
- session[:foo] = "baz"
- head :ok
- end
- end
-
- def setup
- ActiveRecord::SessionStore.session_class.create_table!
- end
-
- def teardown
- ActiveRecord::SessionStore.session_class.drop_table!
- end
-
- %w{ session sql_bypass }.each do |class_name|
- define_method("test_setting_and_getting_session_value_with_#{class_name}_store") do
- with_store class_name do
- with_test_route_set do
- get '/set_session_value'
- assert_response :success
- assert cookies['_session_id']
-
- get '/get_session_value'
- assert_response :success
- assert_equal 'foo: "bar"', response.body
-
- get '/set_session_value', :foo => "baz"
- assert_response :success
- assert cookies['_session_id']
-
- get '/get_session_value'
- assert_response :success
- assert_equal 'foo: "baz"', response.body
-
- get '/call_reset_session'
- assert_response :success
- assert_not_equal [], headers['Set-Cookie']
- end
- end
- end
-
- define_method("test_renewing_with_#{class_name}_store") do
- with_store class_name do
- with_test_route_set do
- get '/set_session_value'
- assert_response :success
- assert cookies['_session_id']
-
- get '/renew'
- assert_response :success
- assert_not_equal [], headers['Set-Cookie']
- end
- end
- end
- end
-
- def test_getting_nil_session_value
- with_test_route_set do
- get '/get_session_value'
- assert_response :success
- assert_equal 'foo: nil', response.body
- end
- end
-
- def test_calling_reset_session_twice_does_not_raise_errors
- with_test_route_set do
- get '/call_reset_session', :twice => "true"
- assert_response :success
-
- get '/get_session_value'
- assert_response :success
- assert_equal 'foo: "baz"', response.body
- end
- end
-
- def test_setting_session_value_after_session_reset
- with_test_route_set do
- get '/set_session_value'
- assert_response :success
- assert cookies['_session_id']
- session_id = cookies['_session_id']
-
- get '/call_reset_session'
- assert_response :success
- assert_not_equal [], headers['Set-Cookie']
-
- get '/get_session_value'
- assert_response :success
- assert_equal 'foo: "baz"', response.body
-
- get '/get_session_id'
- assert_response :success
- assert_not_equal session_id, response.body
- end
- end
-
- def test_getting_session_value_after_session_reset
- with_test_route_set do
- get '/set_session_value'
- assert_response :success
- assert cookies['_session_id']
- session_cookie = cookies.send(:hash_for)['_session_id']
-
- get '/call_reset_session'
- assert_response :success
- assert_not_equal [], headers['Set-Cookie']
-
- cookies << session_cookie # replace our new session_id with our old, pre-reset session_id
-
- get '/get_session_value'
- assert_response :success
- assert_equal 'foo: nil', response.body, "data for this session should have been obliterated from the database"
- end
- end
-
- def test_getting_from_nonexistent_session
- with_test_route_set do
- get '/get_session_value'
- assert_response :success
- assert_equal 'foo: nil', response.body
- assert_nil cookies['_session_id'], "should only create session on write, not read"
- end
- end
-
- def test_getting_session_id
- with_test_route_set do
- get '/set_session_value'
- assert_response :success
- assert cookies['_session_id']
- session_id = cookies['_session_id']
-
- get '/get_session_id'
- assert_response :success
- assert_equal session_id, response.body, "should be able to read session id without accessing the session hash"
- end
- end
-
- def test_doesnt_write_session_cookie_if_session_id_is_already_exists
- with_test_route_set do
- get '/set_session_value'
- assert_response :success
- assert cookies['_session_id']
-
- get '/get_session_value'
- assert_response :success
- assert_equal nil, headers['Set-Cookie'], "should not resend the cookie again if session_id cookie is already exists"
- end
- end
-
- def test_prevents_session_fixation
- with_test_route_set do
- get '/set_session_value'
- assert_response :success
- assert cookies['_session_id']
-
- get '/get_session_value'
- assert_response :success
- assert_equal 'foo: "bar"', response.body
- session_id = cookies['_session_id']
- assert session_id
-
- reset!
-
- get '/get_session_value', :_session_id => session_id
- assert_response :success
- assert_equal 'foo: nil', response.body
- assert_not_equal session_id, cookies['_session_id']
- end
- end
-
- def test_allows_session_fixation
- with_test_route_set(:cookie_only => false) do
- get '/set_session_value'
- assert_response :success
- assert cookies['_session_id']
-
- get '/get_session_value'
- assert_response :success
- assert_equal 'foo: "bar"', response.body
- session_id = cookies['_session_id']
- assert session_id
-
- reset!
-
- get '/set_session_value', :_session_id => session_id, :foo => "baz"
- assert_response :success
- assert_equal session_id, cookies['_session_id']
-
- get '/get_session_value', :_session_id => session_id
- assert_response :success
- assert_equal 'foo: "baz"', response.body
- assert_equal session_id, cookies['_session_id']
- end
- end
-
- def test_incoming_invalid_session_id_via_cookie_should_be_ignored
- with_test_route_set do
- open_session do |sess|
- sess.cookies['_session_id'] = 'INVALID'
-
- sess.get '/set_session_value'
- new_session_id = sess.cookies['_session_id']
- assert_not_equal 'INVALID', new_session_id
-
- sess.get '/get_session_value'
- new_session_id_2 = sess.cookies['_session_id']
- assert_equal new_session_id, new_session_id_2
- end
- end
- end
-
- def test_incoming_invalid_session_id_via_parameter_should_be_ignored
- with_test_route_set(:cookie_only => false) do
- open_session do |sess|
- sess.get '/set_session_value', :_session_id => 'INVALID'
- new_session_id = sess.cookies['_session_id']
- assert_not_equal 'INVALID', new_session_id
-
- sess.get '/get_session_value'
- new_session_id_2 = sess.cookies['_session_id']
- assert_equal new_session_id, new_session_id_2
- end
- end
- end
-
- def test_session_store_with_all_domains
- with_test_route_set(:domain => :all) do
- get '/set_session_value'
- assert_response :success
- end
- end
-
- private
-
- def with_test_route_set(options = {})
- with_routing do |set|
- set.draw do
- get ':action', :to => 'active_record_store_test/test'
- end
-
- @app = self.class.build_app(set) do |middleware|
- middleware.use ActiveRecord::SessionStore, options.reverse_merge(:key => '_session_id')
- middleware.delete "ActionDispatch::ShowExceptions"
- end
-
- yield
- end
- end
-
- def with_store(class_name)
- session_class, ActiveRecord::SessionStore.session_class =
- ActiveRecord::SessionStore.session_class, "ActiveRecord::SessionStore::#{class_name.camelize}".constantize
- yield
- ensure
- ActiveRecord::SessionStore.session_class = session_class
- end
-end
View
3  activerecord/CHANGELOG.md
@@ -1,5 +1,8 @@
## Rails 4.0.0 (unreleased) ##
+* ActiveRecord::SessionStore has been extracted from Active Record as `activerecord-session_store`
+ gem. Please read the `README.md` file on the gem for the usage. *Prem Sichanugrist*
+
* Fix `reset_counters` when there are multiple `belongs_to` association with the
same foreign key and one of them have a counter cache.
Fixes #5200.
View
11 activerecord/lib/active_record.rb
@@ -53,17 +53,6 @@ module ActiveRecord
autoload :ReadonlyAttributes
autoload :Reflection
autoload :Sanitization
-
- # ActiveRecord::SessionStore depends on the abstract store in Action Pack.
- # Eager loading this class would break client code that eager loads Active
- # Record standalone.
- #
- # Note that the Rails application generator creates an initializer specific
- # for setting the session store. Thus, albeit in theory this autoload would
- # not be thread-safe, in practice it is because if the application uses this
- # session store its autoload happens at boot time.
- autoload :SessionStore
-
autoload :Schema
autoload :SchemaDumper
autoload :SchemaMigration
View
15 activerecord/lib/active_record/railties/databases.rake
@@ -408,21 +408,6 @@ db_namespace = namespace :db do
end
end
end
-
- namespace :sessions do
- # desc "Creates a sessions migration for use with ActiveRecord::SessionStore"
- task :create => [:environment, :load_config] do
- raise 'Task unavailable to this database (no migration support)' unless ActiveRecord::Base.connection.supports_migrations?
- Rails.application.load_generators
- require 'rails/generators/rails/session_migration/session_migration_generator'
- Rails::Generators::SessionMigrationGenerator.start [ ENV['MIGRATION'] || 'add_sessions_table' ]
- end
-
- # desc "Clear the sessions table"
- task :clear => [:environment, :load_config] do
- ActiveRecord::Base.connection.execute "DELETE FROM #{ActiveRecord::SessionStore::Session.table_name}"
- end
- end
end
namespace :railties do
View
365 activerecord/lib/active_record/session_store.rb
@@ -1,365 +0,0 @@
-require 'action_dispatch/middleware/session/abstract_store'
-
-module ActiveRecord
- # = Active Record Session Store
- #
- # A session store backed by an Active Record class. A default class is
- # provided, but any object duck-typing to an Active Record Session class
- # with text +session_id+ and +data+ attributes is sufficient.
- #
- # The default assumes a +sessions+ tables with columns:
- # +id+ (numeric primary key),
- # +session_id+ (string, usually varchar; maximum length is 255), and
- # +data+ (text or longtext; careful if your session data exceeds 65KB).
- #
- # The +session_id+ column should always be indexed for speedy lookups.
- # Session data is marshaled to the +data+ column in Base64 format.
- # If the data you write is larger than the column's size limit,
- # ActionController::SessionOverflowError will be raised.
- #
- # You may configure the table name, primary key, and data column.
- # For example, at the end of <tt>config/application.rb</tt>:
- #
- # ActiveRecord::SessionStore::Session.table_name = 'legacy_session_table'
- # ActiveRecord::SessionStore::Session.primary_key = 'session_id'
- # ActiveRecord::SessionStore::Session.data_column_name = 'legacy_session_data'
- #
- # Note that setting the primary key to the +session_id+ frees you from
- # having a separate +id+ column if you don't want it. However, you must
- # set <tt>session.model.id = session.session_id</tt> by hand! A before filter
- # on ApplicationController is a good place.
- #
- # Since the default class is a simple Active Record, you get timestamps
- # for free if you add +created_at+ and +updated_at+ datetime columns to
- # the +sessions+ table, making periodic session expiration a snap.
- #
- # You may provide your own session class implementation, whether a
- # feature-packed Active Record or a bare-metal high-performance SQL
- # store, by setting
- #
- # ActiveRecord::SessionStore.session_class = MySessionClass
- #
- # You must implement these methods:
- #
- # self.find_by_session_id(session_id)
- # initialize(hash_of_session_id_and_data, options_hash = {})
- # attr_reader :session_id
- # attr_accessor :data
- # save
- # destroy
- #
- # The example SqlBypass class is a generic SQL session store. You may
- # use it as a basis for high-performance database-specific stores.
- class SessionStore < ActionDispatch::Session::AbstractStore
- module ClassMethods # :nodoc:
- def marshal(data)
- ::Base64.encode64(Marshal.dump(data)) if data
- end
-
- def unmarshal(data)
- Marshal.load(::Base64.decode64(data)) if data
- end
-
- def drop_table!
- connection.schema_cache.clear_table_cache!(table_name)
- connection.drop_table table_name
- end
-
- def create_table!
- connection.schema_cache.clear_table_cache!(table_name)
- connection.create_table(table_name) do |t|
- t.string session_id_column, :limit => 255
- t.text data_column_name
- end
- connection.add_index table_name, session_id_column, :unique => true
- end
- end
-
- # The default Active Record class.
- class Session < ActiveRecord::Base
- extend ClassMethods
-
- ##
- # :singleton-method:
- # Customizable data column name. Defaults to 'data'.
- cattr_accessor :data_column_name
- self.data_column_name = 'data'
-
- attr_accessible :session_id, :data, :marshaled_data
-
- before_save :marshal_data!
- before_save :raise_on_session_data_overflow!
-
- class << self
- def data_column_size_limit
- @data_column_size_limit ||= columns_hash[data_column_name].limit
- end
-
- # Hook to set up sessid compatibility.
- def find_by_session_id(session_id)
- setup_sessid_compatibility!
- find_by_session_id(session_id)
- end
-
- private
- def session_id_column
- 'session_id'
- end
-
- # Compatibility with tables using sessid instead of session_id.
- def setup_sessid_compatibility!
- # Reset column info since it may be stale.
- reset_column_information
- if columns_hash['sessid']
- def self.find_by_session_id(*args)
- find_by_sessid(*args)
- end
-
- define_method(:session_id) { sessid }
- define_method(:session_id=) { |session_id| self.sessid = session_id }
- else
- class << self; remove_possible_method :find_by_session_id; end
-
- def self.find_by_session_id(session_id)
- where(session_id: session_id).first
- end
- end
- end
- end
-
- def initialize(attributes = nil, options = {})
- @data = nil
- super
- end
-
- # Lazy-unmarshal session state.
- def data
- @data ||= self.class.unmarshal(read_attribute(@@data_column_name)) || {}
- end
-
- attr_writer :data
-
- # Has the session been loaded yet?
- def loaded?
- @data
- end
-
- private
- def marshal_data!
- return false unless loaded?
- write_attribute(@@data_column_name, self.class.marshal(data))
- end
-
- # Ensures that the data about to be stored in the database is not
- # larger than the data storage column. Raises
- # ActionController::SessionOverflowError.
- def raise_on_session_data_overflow!
- return false unless loaded?
- limit = self.class.data_column_size_limit
- if limit and read_attribute(@@data_column_name).size > limit
- raise ActionController::SessionOverflowError
- end
- end
- end
-
- # A barebones session store which duck-types with the default session
- # store but bypasses Active Record and issues SQL directly. This is
- # an example session model class meant as a basis for your own classes.
- #
- # The database connection, table name, and session id and data columns
- # are configurable class attributes. Marshaling and unmarshaling
- # are implemented as class methods that you may override. By default,
- # marshaling data is
- #
- # ::Base64.encode64(Marshal.dump(data))
- #
- # and unmarshaling data is
- #
- # Marshal.load(::Base64.decode64(data))
- #
- # This marshaling behavior is intended to store the widest range of
- # binary session data in a +text+ column. For higher performance,
- # store in a +blob+ column instead and forgo the Base64 encoding.
- class SqlBypass
- extend ClassMethods
-
- ##
- # :singleton-method:
- # The table name defaults to 'sessions'.
- cattr_accessor :table_name
- @@table_name = 'sessions'
-
- ##
- # :singleton-method:
- # The session id field defaults to 'session_id'.
- cattr_accessor :session_id_column
- @@session_id_column = 'session_id'
-
- ##
- # :singleton-method:
- # The data field defaults to 'data'.
- cattr_accessor :data_column
- @@data_column = 'data'
-
- class << self
- alias :data_column_name :data_column
-
- # Use the ActiveRecord::Base.connection by default.
- attr_writer :connection
-
- # Use the ActiveRecord::Base.connection_pool by default.
- attr_writer :connection_pool
-
- def connection
- @connection ||= ActiveRecord::Base.connection
- end
-
- def connection_pool
- @connection_pool ||= ActiveRecord::Base.connection_pool
- end
-
- # Look up a session by id and unmarshal its data if found.
- def find_by_session_id(session_id)
- if record = connection.select_one("SELECT #{connection.quote_column_name(data_column)} AS data FROM #{@@table_name} WHERE #{connection.quote_column_name(@@session_id_column)}=#{connection.quote(session_id.to_s)}")
- new(:session_id => session_id, :marshaled_data => record['data'])
- end
- end
- end
-
- delegate :connection, :connection=, :connection_pool, :connection_pool=, :to => self
-
- attr_reader :session_id, :new_record
- alias :new_record? :new_record
-
- attr_writer :data
-
- # Look for normal and marshaled data, self.find_by_session_id's way of
- # telling us to postpone unmarshaling until the data is requested.
- # We need to handle a normal data attribute in case of a new record.
- def initialize(attributes)
- @session_id = attributes[:session_id]
- @data = attributes[:data]
- @marshaled_data = attributes[:marshaled_data]
- @new_record = @marshaled_data.nil?
- end
-
- # Returns true if the record is persisted, i.e. it's not a new record
- def persisted?
- !@new_record
- end
-
- # Lazy-unmarshal session state.
- def data
- unless @data
- if @marshaled_data
- @data, @marshaled_data = self.class.unmarshal(@marshaled_data) || {}, nil
- else
- @data = {}
- end
- end
- @data
- end
-
- def loaded?
- @data
- end
-
- def save
- return false unless loaded?
- marshaled_data = self.class.marshal(data)
- connect = connection
-
- if @new_record
- @new_record = false
- connect.update <<-end_sql, 'Create session'
- INSERT INTO #{table_name} (
- #{connect.quote_column_name(session_id_column)},
- #{connect.quote_column_name(data_column)} )
- VALUES (
- #{connect.quote(session_id)},
- #{connect.quote(marshaled_data)} )
- end_sql
- else
- connect.update <<-end_sql, 'Update session'
- UPDATE #{table_name}
- SET #{connect.quote_column_name(data_column)}=#{connect.quote(marshaled_data)}
- WHERE #{connect.quote_column_name(session_id_column)}=#{connect.quote(session_id)}
- end_sql
- end
- end
-
- def destroy
- return if @new_record
-
- connect = connection
- connect.delete <<-end_sql, 'Destroy session'
- DELETE FROM #{table_name}
- WHERE #{connect.quote_column_name(session_id_column)}=#{connect.quote(session_id.to_s)}
- end_sql
- end
- end
-
- # The class used for session storage. Defaults to
- # ActiveRecord::SessionStore::Session
- cattr_accessor :session_class
- self.session_class = Session
-
- SESSION_RECORD_KEY = 'rack.session.record'
- ENV_SESSION_OPTIONS_KEY = Rack::Session::Abstract::ENV_SESSION_OPTIONS_KEY
-
- private
- def get_session(env, sid)
- Base.silence do
- unless sid and session = @@session_class.find_by_session_id(sid)
- # If the sid was nil or if there is no pre-existing session under the sid,
- # force the generation of a new sid and associate a new session associated with the new sid
- sid = generate_sid
- session = @@session_class.new(:session_id => sid, :data => {})
- end
- env[SESSION_RECORD_KEY] = session
- [sid, session.data]
- end
- end
-
- def set_session(env, sid, session_data, options)
- Base.silence do
- record = get_session_model(env, sid)
- record.data = session_data
- return false unless record.save
-
- session_data = record.data
- if session_data && session_data.respond_to?(:each_value)
- session_data.each_value do |obj|
- obj.clear_association_cache if obj.respond_to?(:clear_association_cache)
- end
- end
- end
-
- sid
- end
-
- def destroy_session(env, session_id, options)
- if sid = current_session_id(env)
- Base.silence do
- get_session_model(env, sid).destroy
- env[SESSION_RECORD_KEY] = nil
- end
- end
-
- generate_sid unless options[:drop]
- end
-
- def get_session_model(env, sid)
- if env[ENV_SESSION_OPTIONS_KEY][:id].nil?
- env[SESSION_RECORD_KEY] = find_session(sid)
- else
- env[SESSION_RECORD_KEY] ||= find_session(sid)
- end
- end
-
- def find_session(id)
- @@session_class.find_by_session_id(id) ||
- @@session_class.new(:session_id => id, :data => {})
- end
- end
-end
View
24 activerecord/lib/rails/generators/active_record/session_migration/session_migration_generator.rb
@@ -1,24 +0,0 @@
-require 'rails/generators/active_record'
-
-module ActiveRecord
- module Generators
- class SessionMigrationGenerator < Base
- argument :name, :type => :string, :default => "add_sessions_table"
-
- def create_migration_file
- migration_template "migration.rb", "db/migrate/#{file_name}.rb"
- end
-
- protected
-
- def session_table_name
- current_table_name = ActiveRecord::SessionStore::Session.table_name
- if current_table_name == 'session' || current_table_name == 'sessions'
- current_table_name = ActiveRecord::Base.pluralize_table_names ? 'sessions' : 'session'
- end
- current_table_name
- end
-
- end
- end
-end
View
12 activerecord/lib/rails/generators/active_record/session_migration/templates/migration.rb
@@ -1,12 +0,0 @@
-class <%= migration_class_name %> < ActiveRecord::Migration
- def change
- create_table :<%= session_table_name %> do |t|
- t.string :session_id, :null => false
- t.text :data
- t.timestamps
- end
-
- add_index :<%= session_table_name %>, :session_id
- add_index :<%= session_table_name %>, :updated_at
- end
-end
View
81 activerecord/test/cases/session_store/session_test.rb
@@ -1,81 +0,0 @@
-require 'cases/helper'
-require 'action_dispatch'
-require 'active_record/session_store'
-
-module ActiveRecord
- class SessionStore
- class SessionTest < ActiveRecord::TestCase
- self.use_transactional_fixtures = false
-
- attr_reader :session_klass
-
- def setup
- super
- ActiveRecord::Base.connection.schema_cache.clear!
- Session.drop_table! if Session.table_exists?
- @session_klass = Class.new(Session)
- end
-
- def test_data_column_name
- # default column name is 'data'
- assert_equal 'data', Session.data_column_name
- end
-
- def test_table_name
- assert_equal 'sessions', Session.table_name
- end
-
- def test_accessible_attributes
- assert Session.accessible_attributes.include?(:session_id)
- assert Session.accessible_attributes.include?(:data)
- assert Session.accessible_attributes.include?(:marshaled_data)
- end
-
- def test_create_table!
- assert !Session.table_exists?
- Session.create_table!
- assert Session.table_exists?
- Session.drop_table!
- assert !Session.table_exists?
- end
-
- def test_find_by_sess_id_compat
- Session.reset_column_information
- klass = Class.new(Session) do
- def self.session_id_column
- 'sessid'
- end
- end
- klass.create_table!
-
- assert klass.columns_hash['sessid'], 'sessid column exists'
- session = klass.new(:data => 'hello')
- session.sessid = "100"
- session.save!
-
- found = klass.find_by_session_id("100")
- assert_equal session, found
- assert_equal session.sessid, found.session_id
- ensure
- klass.drop_table!
- Session.reset_column_information
- end
-
- def test_find_by_session_id
- Session.create_table!
- session_id = "10"
- s = session_klass.create!(:data => 'world', :session_id => session_id)
- t = session_klass.find_by_session_id(session_id)
- assert_equal s, t
- assert_equal s.data, t.data
- Session.drop_table!
- end
-
- def test_loaded?
- Session.create_table!
- s = Session.new
- assert !s.loaded?, 'session is not loaded'
- end
- end
- end
-end
View
75 activerecord/test/cases/session_store/sql_bypass_test.rb
@@ -1,75 +0,0 @@
-require 'cases/helper'
-require 'action_dispatch'
-require 'active_record/session_store'
-
-module ActiveRecord
- class SessionStore
- class SqlBypassTest < ActiveRecord::TestCase
- def setup
- super
- Session.drop_table! if Session.table_exists?
- end
-
- def test_create_table
- assert !Session.table_exists?
- SqlBypass.create_table!
- assert Session.table_exists?
- SqlBypass.drop_table!
- assert !Session.table_exists?
- end
-
- def test_new_record?
- s = SqlBypass.new :data => 'foo', :session_id => 10
- assert s.new_record?, 'this is a new record!'
- end
-
- def test_persisted?
- s = SqlBypass.new :data => 'foo', :session_id => 10
- assert !s.persisted?, 'this is a new record!'
- end
-
- def test_not_loaded?
- s = SqlBypass.new({})
- assert !s.loaded?, 'it is not loaded'
- end
-
- def test_loaded?
- s = SqlBypass.new :data => 'hello'
- assert s.loaded?, 'it is loaded'
- end
-
- def test_save
- SqlBypass.create_table! unless Session.table_exists?
- session_id = 20
- s = SqlBypass.new :data => 'hello', :session_id => session_id
- s.save
- t = SqlBypass.find_by_session_id session_id
- assert_equal s.session_id, t.session_id
- assert_equal s.data, t.data
- end
-
- def test_destroy
- SqlBypass.create_table! unless Session.table_exists?
- session_id = 20
- s = SqlBypass.new :data => 'hello', :session_id => session_id
- s.save
- s.destroy
- assert_nil SqlBypass.find_by_session_id session_id
- end
-
- def test_data_column
- SqlBypass.drop_table! if exists = Session.table_exists?
- old, SqlBypass.data_column = SqlBypass.data_column, 'foo'
- SqlBypass.create_table!
-
- session_id = 20
- SqlBypass.new(:data => 'hello', :session_id => session_id).save
- assert_equal 'hello', SqlBypass.find_by_session_id(session_id).data
- ensure
- SqlBypass.drop_table!
- SqlBypass.data_column = old
- SqlBypass.create_table! if exists
- end
- end
- end
-end
View
5 guides/code/getting_started/config/initializers/session_store.rb
@@ -1,8 +1,3 @@
# Be sure to restart your server when you modify this file.
Blog::Application.config.session_store :cookie_store, key: '_blog_session'
-
-# Use the database for sessions instead of the cookie-based default,
-# which shouldn't be used to store highly confidential information
-# (create the session table with "rails generate session_migration")
-# Blog::Application.config.session_store :active_record_store
View
2  guides/source/4_0_release_notes.textile
@@ -730,6 +730,8 @@ where(...).remove_conditions # => still has conditions
* The migration generator now creates a join table with (commented) indexes every time the migration name contains the word "join_table".
+* <tt>ActiveRecord::SessionStore</tt> is removed from Rails 4.0 and is now a separate "gem":https://github.com/rails/activerecord-session_store.
+
h3. Active Model
* Changed <tt>AM::Serializers::JSON.include_root_in_json</tt> default value to false. Now, AM Serializers and AR objects have the same default behaviour.
View
4 guides/source/action_controller_overview.textile
@@ -168,8 +168,8 @@ h3. Session
Your application has a session for each user in which you can store small amounts of data that will be persisted between requests. The session is only available in the controller and the view and can use one of a number of different storage mechanisms:
* ActionDispatch::Session::CookieStore - Stores everything on the client.
-* ActiveRecord::SessionStore - Stores the data in a database using Active Record.
* ActionDispatch::Session::CacheStore - Stores the data in the Rails cache.
+* ActionDispatch::Session::ActiveRecordStore - Stores the data in a database using Active Record. (require `activerecord-session_store` gem).
* ActionDispatch::Session::MemCacheStore - Stores the data in a memcached cluster (this is a legacy implementation; consider using CacheStore instead).
All session stores use a cookie to store a unique ID for each session (you must use a cookie, Rails will not allow you to pass the session ID in the URL as this is less secure).
@@ -187,7 +187,7 @@ If you need a different session storage mechanism, you can change it in the +con
<ruby>
# Use the database for sessions instead of the cookie-based default,
# which shouldn't be used to store highly confidential information
-# (create the session table with "script/rails g session_migration")
+# (create the session table with "script/rails g active_record:session_migration")
# YourApp::Application.config.session_store :active_record_store
</ruby>
View
10 guides/source/active_support_core_extensions.textile
@@ -1491,13 +1491,9 @@ For example, Action Pack uses this method to load the class that provides a cert
<ruby>
# action_controller/metal/session_management.rb
def session_store=(store)
- if store == :active_record_store
- self.session_store = ActiveRecord::SessionStore
- else
- @@session_store = store.is_a?(Symbol) ?
- ActionDispatch::Session.const_get(store.to_s.camelize) :
- store
- end
+ @@session_store = store.is_a?(Symbol) ?
+ ActionDispatch::Session.const_get(store.to_s.camelize) :
+ store
end
</ruby>
View
10 guides/source/configuring.textile
@@ -127,7 +127,7 @@ end
config.session_store :my_custom_store
</ruby>
-This custom store must be defined as +ActionDispatch::Session::MyCustomStore+. In addition to symbols, they can also be objects implementing a certain API, like +ActiveRecord::SessionStore+, in which case no special namespace is required.
+This custom store must be defined as +ActionDispatch::Session::MyCustomStore+.
* +config.time_zone+ sets the default time zone for the application and enables time zone awareness for Active Record.
@@ -322,14 +322,6 @@ The caching code adds two additional settings:
* +ActionController::Base.page_cache_extension+ sets the extension to be used when generating pages for the cache (this is ignored if the incoming request already has an extension). The default is +.html+.
-The Active Record session store can also be configured:
-
-* +ActiveRecord::SessionStore::Session.table_name+ sets the name of the table used to store sessions. Defaults to +sessions+.
-
-* +ActiveRecord::SessionStore::Session.primary_key+ sets the name of the ID column used in the sessions table. Defaults to +session_id+.
-
-* +ActiveRecord::SessionStore::Session.data_column_name+ sets the name of the column which stores marshaled session data. Defaults to +data+.
-
h4. Configuring Action Dispatch
* +config.action_dispatch.session_store+ sets the name of the store for session data. The default is +:cookie_store+; other valid options include +:active_record_store+, +:mem_cache_store+ or the name of your own custom class.
View
4 guides/source/security.textile
@@ -81,9 +81,7 @@ This will also be a good idea, if you modify the structure of an object and old
h4. Session Storage
-NOTE: _Rails provides several storage mechanisms for the session hashes. The most important are +ActiveRecord::SessionStore+ and +ActionDispatch::Session::CookieStore+._
-
-There are a number of session storages, i.e. where Rails saves the session hash and session id. Most real-live applications choose ActiveRecord::SessionStore (or one of its derivatives) over file storage due to performance and maintenance reasons. ActiveRecord::SessionStore keeps the session id and hash in a database table and saves and retrieves the hash on every request.
+NOTE: _Rails provides several storage mechanisms for the session hashes. The most important is +ActionDispatch::Session::CookieStore+._
Rails 2 introduced a new default session storage, CookieStore. CookieStore saves the session hash directly in a cookie on the client-side. The server retrieves the session hash from the cookie and eliminates the need for a session id. That will greatly increase the speed of the application, but it is a controversial storage option and you have to think about the security implications of it:
View
7 railties/lib/rails/application/configuration.rb
@@ -126,7 +126,12 @@ def session_store(*args)
when :disabled
nil
when :active_record_store
- ActiveRecord::SessionStore
+ begin
+ ActionDispatch::Session::ActiveRecordStore
+ rescue NameError
+ raise "`ActiveRecord::SessionStore` is extracted out of Rails into a gem. " \
+ "Please add `activerecord-session_store` to your Gemfile to use it."
+ end
when Symbol
ActionDispatch::Session.const_get(@session_store.to_s.camelize)
else
View
1  railties/lib/rails/generators.rb
@@ -173,7 +173,6 @@ def self.hidden_namespaces
"#{orm}:migration",
"#{orm}:model",
"#{orm}:observer",
- "#{orm}:session_migration",
"#{test}:controller",
"#{test}:helper",
"#{test}:integration",
View
5 railties/lib/rails/generators/rails/app/templates/config/initializers/session_store.rb.tt
@@ -1,8 +1,3 @@
# Be sure to restart your server when you modify this file.
<%= app_const %>.config.session_store :cookie_store, key: <%= "'_#{app_name}_session'" %>
-
-# Use the database for sessions instead of the cookie-based default,
-# which shouldn't be used to store highly confidential information
-# (create the session table with "rails generate session_migration").
-# <%= app_const %>.config.session_store :active_record_store
View
8 railties/lib/rails/generators/rails/session_migration/USAGE
@@ -1,8 +0,0 @@
-Description:
- Creates a migration to add the sessions table used by the ORM session store.
- Pass the migration name, either CamelCased or under_scored, as an argument.
-
- Before invoking this generator, be sure that your ORM supports session stores.
-
-Example:
- `rails generate session_migration CreateSessionTable`
View
8 railties/lib/rails/generators/rails/session_migration/session_migration_generator.rb
@@ -1,8 +0,0 @@
-module Rails
- module Generators
- class SessionMigrationGenerator < NamedBase #metagenerator
- argument :name, :type => :string, :default => "add_sessions_table"
- hook_for :orm, :required => true
- end
- end
-end
View
19 railties/test/application/configuration_test.rb
@@ -630,5 +630,24 @@ class FooObserver < ActiveRecord::Observer
ActiveRecord::Base
assert defined?(FooObserver)
end
+
+ test "config.session_store with :active_record_store with activerecord-session_store gem" do
+ begin
+ make_basic_app do |app|
+ ActionDispatch::Session::ActiveRecordStore = Class.new(ActionDispatch::Session::CookieStore)
+ app.config.session_store :active_record_store
+ end
+ ensure
+ ActionDispatch::Session.send :remove_const, :ActiveRecordStore
+ end
+ end
+
+ test "config.session_store with :active_record_store without activerecord-session_store gem" do
+ assert_raise RuntimeError, /activerecord-session_store/ do
+ make_basic_app do |app|
+ app.config.session_store :active_record_store
+ end
+ end
+ end
end
end
View
20 railties/test/application/initializers/frameworks_test.rb
@@ -163,26 +163,6 @@ def from_bar_helper
end
# AR
- test "database middleware doesn't initialize when session store is not active_record" do
- add_to_config <<-RUBY
- config.root = "#{app_path}"
- config.session_store :cookie_store, { :key => "blahblahblah" }
- RUBY
- require "#{app_path}/config/environment"
-
- assert !Rails.application.config.middleware.include?(ActiveRecord::SessionStore)
- end
-
- test "database middleware initializes when session store is active record" do
- add_to_config "config.session_store :active_record_store"
-
- require "#{app_path}/config/environment"
-
- expects = [ActiveRecord::ConnectionAdapters::ConnectionManagement, ActiveRecord::QueryCache, ActiveRecord::SessionStore]
- middleware = Rails.application.config.middleware.map { |m| m.klass }
- assert_equal expects, middleware & expects
- end
-
test "active_record extensions are applied to ActiveRecord" do
add_to_config "config.active_record.table_name_prefix = 'tbl_'"
require "#{app_path}/config/environment"
View
27 railties/test/generators/session_migration_generator_test.rb
@@ -1,27 +0,0 @@
-require 'generators/generators_test_helper'
-require 'rails/generators/rails/session_migration/session_migration_generator'
-
-class SessionMigrationGeneratorTest < Rails::Generators::TestCase
- include GeneratorsTestHelper
-
- def test_session_migration_with_default_name
- run_generator
- assert_migration "db/migrate/add_sessions_table.rb", /class AddSessionsTable < ActiveRecord::Migration/
- end
-
- def test_session_migration_with_given_name
- run_generator ["create_session_table"]
- assert_migration "db/migrate/create_session_table.rb", /class CreateSessionTable < ActiveRecord::Migration/
- end
-
- def test_session_migration_with_custom_table_name
- ActiveRecord::SessionStore::Session.table_name = "custom_table_name"
- run_generator
- assert_migration "db/migrate/add_sessions_table.rb" do |migration|
- assert_match(/class AddSessionsTable < ActiveRecord::Migration/, migration)
- assert_match(/create_table :custom_table_name/, migration)
- end
- ensure
- ActiveRecord::SessionStore::Session.table_name = "sessions"
- end
-end
Please sign in to comment.
Something went wrong with that request. Please try again.