Allow session serializer key in config.session_store

MessageEncryptor has :serializer option, where any serializer object can
be passed. This commit make it possible to set this serializer from configuration
level.

There are predefined serializers (:marshal_serializer, :json_serialzier)
and custom serializer can be passed as String, Symbol (camelized and
constantized in ActionDispatch::Session namepspace) or serializer object.

Default :json_serializer was also added to generators to provide secure
defalt.

1 files changed, 22 insertions, 0 deletions

diff --git a/guides/source/action_controller_overview.md b/guides/source/action_controller_overview.md
index c55637eb0a..0234120b45 100644
--- a/guides/source/action_controller_overview.md
+++ b/guides/source/action_controller_overview.md
@@ -381,6 +381,28 @@ You can also pass a `:domain` key and specify the domain name for the cookie:
 YourApp::Application.config.session_store :cookie_store, key: '_your_app_session', domain: ".example.com"
 ```
 
+You can pass `:serializer` key to specify serializer for serializing session:
+
+```ruby
+YourApp::Application.config.session_store :cookie_store, key: '_your_app_session', serializer: :json_serializer
+```
+
+Default serializer is `:marshal_serializer`. When Symbol or String is passed it
+will look for appropriate class in `ActionDispatch::Session` namespace, so
+passing `:my_custom_serializer` would load
+`ActionDispatch::Session::MyCustomSerializer`.
+
+```ruby
+YourApp::Application.config.session_store :cookie_store, key: '_your_app_session', serializer: :my_custom_serializer
+```
+
+It is also possible to pass serializer object with defined `load` and `dump`
+public methods:
+
+```ruby
+YourApp::Application.config.session_store :cookie_store, key: '_your_app_session', serializer: MyCustomSerializer
+```
+
 Rails sets up (for the CookieStore) a secret key used for signing the session data. This can be changed in `config/initializers/secret_token.rb`
 
 ```ruby