From 678aeb7e48fef9cd3107f22fb4ae9d1ecec27a59 Mon Sep 17 00:00:00 2001 From: Daniel McNevin Date: Sun, 8 Aug 2010 19:57:42 -0400 Subject: updated the action_controller guide with the new session configuration options --- .../source/action_controller_overview.textile | 41 +++++++++++++++------- 1 file changed, 28 insertions(+), 13 deletions(-) (limited to 'railties/guides/source/action_controller_overview.textile') diff --git a/railties/guides/source/action_controller_overview.textile b/railties/guides/source/action_controller_overview.textile index 038ca903c1..ff112608ff 100644 --- a/railties/guides/source/action_controller_overview.textile +++ b/railties/guides/source/action_controller_overview.textile @@ -159,23 +159,38 @@ Read more about session storage in the "Security Guide":security.html. If you need a different session storage mechanism, you can change it in the +config/initializers/session_store.rb+ file: -# Use the database for sessions instead of the cookie-based default, -# which shouldn't be used to store highly confidential information -# (create the session table with "rake db:sessions:create") -# ActionController::Base.session_store = :active_record_store + # Use the database for sessions instead of the cookie-based default, + # which shouldn't be used to store highly confidential information + # (create the session table with "rake db:sessions:create") + # YourApp::Application.config.session_store :active_record_store -Rails sets up a session key (the name of the cookie) and (for the CookieStore) a secret key used when signing the session data. These can also be changed in +config/initializers/session_store.rb+: +Rails sets up a session key (the name of the cookie) when signing the session data. These can also be changed in +config/initializers/session_store.rb+: -# Your secret key for verifying cookie session data integrity. -# If you change this key, all old sessions will become invalid! -# Make sure the secret is at least 30 characters and all random, -# no regular words or you'll be exposed to dictionary attacks. -ActionController::Base.session = { - :key => '_yourappname_session', - :secret => '4f50711b8f0f49572...' -} + # Be sure to restart your server when you modify this file. + + YourApp::Application.config.session_store :cookie_store, :key => '_your_app_session' + + +You can also pass a +:domain+ key and specify the domain name for the cookie: + + + # Be sure to restart your server when you modify this file. + + YourApp::Application.config.session_store :cookie_store, :key => '_your_app_session', :domain => ".test.com" + + +Rails sets up (for the CookieStore) a secret key used for signing the session data. This can be changed in +config/initializers/secret_token.rb+ + + + # Be sure to restart your server when you modify this file. + + # Your secret key for verifying the integrity of signed cookies. + # If you change this key, all old signed cookies will become invalid! + # Make sure the secret is at least 30 characters and all random, + # no regular words or you'll be exposed to dictionary attacks. + YourApp::Application.config.secret_token = '49d3f3de9ed86c74b94ad6bd0...' NOTE: Changing the secret when using the CookieStore will invalidate all existing sessions. -- cgit v1.2.3