Permalink
Browse files

Renamed session_serializer option to cookies_serializer

  • Loading branch information...
1 parent f0d8996 commit b927d67decb9d4e5103b5991b7e26a4dab4eca92 @chancancode chancancode committed Feb 4, 2014
@@ -84,8 +84,6 @@ module Session
autoload :CookieStore, 'action_dispatch/middleware/session/cookie_store'
autoload :MemCacheStore, 'action_dispatch/middleware/session/mem_cache_store'
autoload :CacheStore, 'action_dispatch/middleware/session/cache_store'
- autoload :JsonSerializer, 'action_dispatch/middleware/session/json_serializer'
- autoload :MarshalSerializer, 'action_dispatch/middleware/session/marshal_serializer'
end
mattr_accessor :test_app
@@ -89,7 +89,7 @@ class Cookies
ENCRYPTED_SIGNED_COOKIE_SALT = "action_dispatch.encrypted_signed_cookie_salt".freeze
SECRET_TOKEN = "action_dispatch.secret_token".freeze
SECRET_KEY_BASE = "action_dispatch.secret_key_base".freeze
- SESSION_SERIALIZER = "action_dispatch.session_serializer".freeze
+ COOKIES_SERIALIZER = "action_dispatch.cookies_serializer".freeze
# Cookies can typically store 4096 bytes.
MAX_COOKIE_SIZE = 4096
@@ -212,7 +212,7 @@ def self.options_for_env(env) #:nodoc:
secret_token: env[SECRET_TOKEN],
secret_key_base: env[SECRET_KEY_BASE],
upgrade_legacy_signed_cookies: env[SECRET_TOKEN].present? && env[SECRET_KEY_BASE].present?,
- session_serializer: env[SESSION_SERIALIZER]
+ serializer: env[COOKIES_SERIALIZER]
}
end
@@ -374,14 +374,40 @@ def []=(name, options)
end
end
+ class JsonSerializer
+ def self.load(value)
+ JSON.parse(value, quirks_mode: true)
+ end
+
+ def self.dump(value)
+ JSON.generate(value, quirks_mode: true)
+ end
+ end
+
+ module SerializedCookieJars
+ protected
+ def serializer
+ serializer = @options[:serializer] || :marshal
+ case serializer
+ when :marshal
+ Marshal
+ when :json
+ JsonSerializer
+ else
+ serializer
+ end
+ end
+ end
+
class SignedCookieJar #:nodoc:
include ChainedCookieJars
+ include SerializedCookieJars
def initialize(parent_jar, key_generator, options = {})
@parent_jar = parent_jar
@options = options
secret = key_generator.generate_key(@options[:signed_cookie_salt])
- @verifier = ActiveSupport::MessageVerifier.new(secret)
+ @verifier = ActiveSupport::MessageVerifier.new(secret, serializer: serializer)
end
def [](name)
@@ -426,6 +452,7 @@ def [](name)
class EncryptedCookieJar #:nodoc:
include ChainedCookieJars
+ include SerializedCookieJars
def initialize(parent_jar, key_generator, options = {})
if ActiveSupport::LegacyKeyGenerator === key_generator
@@ -464,18 +491,6 @@ def decrypt_and_verify(encrypted_message)
rescue ActiveSupport::MessageVerifier::InvalidSignature, ActiveSupport::MessageEncryptor::InvalidMessage
nil
end
-
- def serializer
- serializer = @options[:session_serializer] || :marshal
- case serializer
- when :marshal
- ActionDispatch::Session::MarshalSerializer
- when :json
- ActionDispatch::Session::JsonSerializer
- else
- serializer
- end
- end
end
# UpgradeLegacyEncryptedCookieJar is used by ActionDispatch::Session::CookieStore
@@ -1,13 +0,0 @@
-module ActionDispatch
- module Session
- class JsonSerializer
- def self.load(value)
- JSON.parse(value, quirks_mode: true)
- end
-
- def self.dump(value)
- JSON.generate(value, quirks_mode: true)
- end
- end
- end
-end
@@ -1,14 +0,0 @@
-module ActionDispatch
- module Session
- class MarshalSerializer
- def self.load(value)
- Marshal.load(value)
- end
-
- def self.dump(value)
- Marshal.dump(value)
- end
- end
- end
-end
-
@@ -379,28 +379,28 @@ def test_encrypted_cookie
assert_equal 'bar', cookies.encrypted[:foo]
end
- class CustomJsonSerializer
+ class CustomSerializer
def self.load(value)
- JSON.load(value) + " and loaded"
+ value.to_s + " and loaded"
end
def self.dump(value)
- JSON.dump(value + " was dumped")
+ value.to_s + " was dumped"
end
end
def test_encrypted_cookie_using_serializer_object
- @request.env["action_dispatch.session_serializer"] = CustomJsonSerializer
+ @request.env["action_dispatch.cookies_serializer"] = CustomSerializer
get :set_encrypted_cookie
assert_equal 'bar was dumped and loaded', cookies.encrypted[:foo]
end
def test_encrypted_cookie_using_json_serializer
- @request.env["action_dispatch.session_serializer"] = :json
+ @request.env["action_dispatch.cookies_serializer"] = :json
get :set_encrypted_cookie
cookies = @controller.send :cookies
assert_not_equal 'bar', cookies[:foo]
- assert_raises TypeError do
+ assert_raises ::JSON::ParserError do
cookies.signed[:foo]
end
assert_equal 'bar', cookies.encrypted[:foo]
@@ -381,22 +381,6 @@ You can also pass a `:domain` key and specify the domain name for the cookie:
YourApp::Application.config.session_store :cookie_store, key: '_your_app_session', domain: ".example.com"
```
-You can pass `:serializer` key to specify serializer for serializing session:
-
-```ruby
-YourApp::Application.config.session_store :cookie_store, key: '_your_app_session', serializer: :json
-```
-
-The default serializer for new application is `:json`. For compatibility with
-old applications `:marshal` is used when `serializer` option is not specified.
-
-It is also possible to pass a custom serializer class with `load` and `dump`
-public methods defined:
-
-```ruby
-YourApp::Application.config.session_store :cookie_store, key: '_your_app_session', serializer: MyCustomSerializer
-```
-
Rails sets up (for the CookieStore) a secret key used for signing the session data. This can be changed in `config/initializers/secret_token.rb`
```ruby
@@ -588,6 +572,33 @@ end
Note that while for session values you set the key to `nil`, to delete a cookie value you should use `cookies.delete(:key)`.
+Rails also provides a signed cookie jar and an encrypted cookie jar for storing
+sensitive data. The signed cookie jar appends a cryptographic signature on the
+cookie values to protect their integrity. The encrypted cookie jar encrypts the
+values in addition to signing them, so that they cannot be read by the end user.
+Refer to the [API documentation](http://api.rubyonrails.org/classes/ActionDispatch/Cookies.html)
+for more details.
+
+These special cookie jars use a serializer to serialize the assigned values into
+strings and deserializes them into Ruby objects on read.
+
+You can specify what serializer to use:
+
+```ruby
+YourApp::Application.config.cookies_serializer :json
+```
+
+The possible options are `:marshal` or `:json`. The default serializer for new
+applications is `:json`. For compatibility with old applications with existing
+cookies, `:marshal` is used when `serializer` option is not specified.
+
+It is also possible to pass a custom serializer class or object that responds
+to `load` and `dump`:
+
+```ruby
+YourApp::Application.config.cookies_serializer MyCustomSerializer
+```
+
Rendering XML and JSON data
---------------------------
@@ -206,7 +206,7 @@ def env_config
"action_dispatch.signed_cookie_salt" => config.action_dispatch.signed_cookie_salt,
"action_dispatch.encrypted_cookie_salt" => config.action_dispatch.encrypted_cookie_salt,
"action_dispatch.encrypted_signed_cookie_salt" => config.action_dispatch.encrypted_signed_cookie_salt,
- "action_dispatch.session_serializer" => config.session_options[:serializer]
+ "action_dispatch.cookies_serializer" => config.action_dispatch.cookies_serializer
})
end
end

0 comments on commit b927d67

Please sign in to comment.