module ActionController #:nodoc: module SessionManagement #:nodoc: def self.included(base) base.class_eval do extend ClassMethods alias_method_chain :process, :session_management_support alias_method_chain :process_cleanup, :session_management_support end end module ClassMethods # Set the session store to be used for keeping the session data between requests. # By default, sessions are stored in browser cookies (:cookie_store), # but you can also specify one of the other included stores (:active_record_store, # :p_store, :drb_store, :mem_cache_store, or # :memory_store) or your own custom class. def session_store=(store) ActionController::CgiRequest::DEFAULT_SESSION_OPTIONS[:database_manager] = store.is_a?(Symbol) ? CGI::Session.const_get(store == :drb_store ? "DRbStore" : store.to_s.camelize) : store end # Returns the session store class currently used. def session_store ActionController::CgiRequest::DEFAULT_SESSION_OPTIONS[:database_manager] end # Returns the hash used to configure the session. Example use: # # ActionController::Base.session_options[:session_secure] = true # session only available over HTTPS def session_options ActionController::CgiRequest::DEFAULT_SESSION_OPTIONS end # Specify how sessions ought to be managed for a subset of the actions on # the controller. Like filters, you can specify :only and # :except clauses to restrict the subset, otherwise options # apply to all actions on this controller. # # The session options are inheritable, as well, so if you specify them in # a parent controller, they apply to controllers that extend the parent. # # Usage: # # # turn off session management for all actions. # session :off # # # turn off session management for all actions _except_ foo and bar. # session :off, :except => %w(foo bar) # # # turn off session management for only the foo and bar actions. # session :off, :only => %w(foo bar) # # # the session will only work over HTTPS, but only for the foo action # session :only => :foo, :session_secure => true # # # the session by default uses HttpOnly sessions for security reasons. # # this can be switched off. # session :only => :foo, :session_http_only => false # # # the session will only be disabled for 'foo', and only if it is # # requested as a web service # session :off, :only => :foo, # :if => Proc.new { |req| req.parameters[:ws] } # # # the session will be disabled for non html/ajax requests # session :off, # :if => Proc.new { |req| !(req.format.html? || req.format.js?) } # # # turn the session back on, useful when it was turned off in the # # application controller, and you need it on in another controller # session :on # # All session options described for ActionController::Base.process_cgi # are valid arguments. def session(*args) options = args.extract_options! options[:disabled] = false if args.delete(:on) options[:disabled] = true if !args.empty? options[:only] = [*options[:only]].map { |o| o.to_s } if options[:only] options[:except] = [*options[:except]].map { |o| o.to_s } if options[:except] if options[:only] && options[:except] raise ArgumentError, "only one of either :only or :except are allowed" end write_inheritable_array(:session_options, [options]) end # So we can declare session options in the Rails initializer. alias_method :session=, :session def cached_session_options #:nodoc: @session_options ||= read_inheritable_attribute(:session_options) || [] end def session_options_for(request, action) #:nodoc: if (session_options = cached_session_options).empty? {} else options = {} action = action.to_s session_options.each do |opts| next if opts[:if] && !opts[:if].call(request) if opts[:only] && opts[:only].include?(action) options.merge!(opts) elsif opts[:except] && !opts[:except].include?(action) options.merge!(opts) elsif !opts[:only] && !opts[:except] options.merge!(opts) end end if options.empty? then options else options.delete :only options.delete :except options.delete :if options[:disabled] ? false : options end end end end def process_with_session_management_support(request, response, method = :perform_action, *arguments) #:nodoc: set_session_options(request) process_without_session_management_support(request, response, method, *arguments) end private def set_session_options(request) request.session_options = self.class.session_options_for(request, request.parameters["action"] || "index") end def process_cleanup_with_session_management_support clear_persistent_model_associations process_cleanup_without_session_management_support end # Clear cached associations in session data so they don't overflow # the database field. Only applies to ActiveRecordStore since there # is not a standard way to iterate over session data. def clear_persistent_model_associations #:doc: if defined?(@_session) && @_session.respond_to?(:data) session_data = @_session.data if session_data && session_data.respond_to?(:each_value) session_data.each_value do |obj| obj.clear_association_cache if obj.respond_to?(:clear_association_cache) end end end end end end