Setup default session store internally, no longer through an applicat…

…ion initializer

- By default the session store will be set to cookie store with
  application name as session key.
- Older apps are not affected as they will have the session store
  initializer generated by Rails in older versions, and Rails will not
  overwrite the session store if it is already set or disabled.
- But new apps will not have the initializer, instead the session store
  will be set to cookie store by default.
- Based on comment by DHH here - #25181 (comment).

guides/source/action_controller_overview.md

@@ -362,7 +362,7 @@ If your user sessions don't store critical data or don't need to be around for l
 
 Read more about session storage in the [Security Guide](security.html).
 
-If you need a different session storage mechanism, you can change it in the `config/initializers/session_store.rb` file:
+If you need a different session storage mechanism, you can change it in an initializer:
 
 ```ruby
 # Use the database for sessions instead of the cookie-based default,
@@ -371,7 +371,7 @@ If you need a different session storage mechanism, you can change it in the `con
 # Rails.application.config.session_store :active_record_store
 ```
 
-Rails sets up a session key (the name of the cookie) when signing the session data. These can also be changed in `config/initializers/session_store.rb`:
+Rails sets up a session key (the name of the cookie) when signing the session data. These can also be changed in an initializer:
 
 ```ruby
 # Be sure to restart your server when you modify this file.

guides/source/configuring.md

@@ -142,7 +142,7 @@ defaults to `:debug` for all environments. The available log levels are: `:debug
 
 * `config.public_file_server.enabled` configures Rails to serve static files from the public directory. This option defaults to `true`, but in the production environment it is set to `false` because the server software (e.g. NGINX or Apache) used to run the application should serve static files instead. If you are running or testing your app in production mode using WEBrick (it is not recommended to use WEBrick in production) set the option to `true.` Otherwise, you won't be able to use page caching and request for files that exist under the public directory.
 
-* `config.session_store` is usually set up in `config/initializers/session_store.rb` and specifies what class to use to store the session. Possible values are `:cookie_store` which is the default, `:mem_cache_store`, and `:disabled`. The last one tells Rails not to deal with sessions. Custom session stores can also be specified:
+* `config.session_store` specifies what class to use to store the session. Possible values are `:cookie_store` which is the default, `:mem_cache_store`, and `:disabled`. The last one tells Rails not to deal with sessions. Defaults to a cookie store with application name as the session key. Custom session stores can also be specified:
 
     ```ruby
     config.session_store :my_custom_store

railties/CHANGELOG.md

@@ -1,3 +1,8 @@
+*   Set session store to cookie store internally and remove the initializer from
+    the generated app.
+
+    *Prathamesh Sonpatki*
+
 *   Set the server host using the `HOST` environment variable.
 
     *mahnunchik*

railties/lib/rails/application/configuration.rb

@@ -34,8 +34,6 @@ def initialize(*)
         @public_file_server.index_name   = "index"
         @force_ssl                       = false
         @ssl_options                     = {}
-        @session_store                   = :cookie_store
-        @session_options                 = {}
         @time_zone                       = "UTC"
         @beginning_of_week               = :monday
         @log_level                       = nil

railties/lib/rails/application/finisher.rb

@@ -33,6 +33,14 @@ module Finisher
         end
       end
 
+      # Setup default session store if not already set in config/application.rb
+      initializer :setup_default_session_store, before: :build_middleware_stack do |app|
+        unless app.config.session_store?
+          app_name = app.class.name ? app.railtie_name.chomp('_application') : ''
+          app.config.session_store :cookie_store, key: "_#{app_name}_session"
+        end
+      end
+
       initializer :build_middleware_stack do
         build_middleware_stack
       end

railties/lib/rails/generators/rails/app/app_generator.rb

@@ -337,7 +337,6 @@ def delete_action_cable_files_skipping_action_cable
 
       def delete_non_api_initializers_if_api_option
         if options[:api]
-          remove_file 'config/initializers/session_store.rb'
           remove_file 'config/initializers/cookies_serializer.rb'
         end
       end

railties/test/application/configuration_test.rb

@@ -1186,6 +1186,22 @@ def index
       end
     end
 
+    test "default session store initializer does not overwrite the user defined session store even if it is disabled" do
+      make_basic_app do |application|
+        application.config.session_store :disabled
+      end
+
+      assert_equal nil, app.config.session_store
+    end
+
+    test "default session store initializer sets session store to cookie store" do
+      session_options = { key: "_myapp_session", cookie_only: true }
+      make_basic_app
+
+      assert_equal ActionDispatch::Session::CookieStore, app.config.session_store
+      assert_equal session_options, app.config.session_options
+    end
+
     test "config.log_level with custom logger" do
       make_basic_app do |application|
         application.config.logger = Logger.new(STDOUT)

railties/test/generators/api_app_generator_test.rb

@@ -108,7 +108,6 @@ def skipped_files
        app/views/layouts/application.html.erb
        config/initializers/assets.rb
        config/initializers/cookies_serializer.rb
-       config/initializers/session_store.rb
        lib/assets
        vendor/assets
        test/helpers

railties/test/generators/app_generator_test.rb

@@ -131,7 +131,6 @@ def test_application_name_is_detected_if_it_exists_and_app_folder_renamed
         generator.send(:app_const)
         quietly { generator.send(:update_config_files) }
         assert_file "myapp_moved/config/environment.rb", /Rails\.application\.initialize!/
-        assert_file "myapp_moved/config/initializers/session_store.rb", /_myapp_session/
       end
     end
   end
@@ -144,7 +143,6 @@ def test_rails_update_generates_correct_session_key
       generator = Rails::Generators::AppGenerator.new ["rails"], [], destination_root: app_root, shell: @shell
       generator.send(:app_const)
       quietly { generator.send(:update_config_files) }
-      assert_file "myapp/config/initializers/session_store.rb", /_myapp_session/
     end
   end
 
@@ -552,13 +550,6 @@ def test_no_active_record_or_tests_if_skips_given
     assert_file "config/application.rb", /\s+require\s+["']active_job\/railtie["']/
   end
 
-  def test_new_hash_style
-    run_generator
-    assert_file "config/initializers/session_store.rb" do |file|
-      assert_match(/config.session_store :cookie_store, key: '_.+_session'/, file)
-    end
-  end
-
   def test_pretend_option
     output = run_generator [File.join(destination_root, "myapp"), "--pretend"]
     assert_no_match(/run  bundle install/, output)
@@ -571,7 +562,6 @@ def test_application_name_with_spaces
     run_generator [path, "-d", 'postgresql']
 
     assert_file "foo bar/config/database.yml", /database: foo_bar_development/
-    assert_file "foo bar/config/initializers/session_store.rb", /key: '_foo_bar/
   end
 
   def test_web_console