Configuring Cookie-Based Sessions in Rails 2.0

December 27th, 2007 by Trevor

As of Changeset 6184 and the release of Rails 2.0, the default session store for Rails apps is cookie-based.

[This] means sessions are no longer stored on the file system or in the database, but kept by the client in a hashed form that can't be forged. This makes it not only a lot faster than traditional session stores, but also makes it zero maintenance. There's no cron job needed to clear out the sessions and your server won't crash because you forgot and suddenly had 500K files in tmp/session.

Configuring your application to use this speedy new session store is easy. Adding the following to your config/environment.rb file would do the trick:

config.action_controller.session = {
  :session_key => '_my_app_session',
  :secret      => 'some_really_long_and_hashed_key'
}

But...

I don't like it.

Especially when you're dealing with open-source projects, putting what amounts to installation-specific passwords here doesn't seem appropriate. In the case of my open-source project, El Dorado, I'd like to be able to make changes to environment.rb without troubling the user. Ideally, I think all passwords should be set from a single location. Luckily, it's easy to push this configuration into the already available config/database.yml.

Here's how.

Add the following to config/environment.rb:

require 'yaml'
db = YAML.load_file('config/database.yml')
config.action_controller.session = {
  :session_key => db[RAILS_ENV]['session_key'],
  :secret      => db[RAILS_ENV]['secret']
}

And then you can set everything up in one place: config/database.yml:

development:
  adapter: mysql
  database: eldorado_development
  username: root
  password:
  host: localhost
  session_key: eldorado_development
  secret: YrDOFOmYJyFg2tTZykCbZjWYQUbKBt

test:
  adapter: mysql
  database: eldorado_test
  username: root
  password:
  host: localhost
  session_key: eldorado_test
  secret: Pl8qJNFc8mo1yt1xtHOmfUGHOPEutu

production:
  adapter: mysql
  database: eldorado_production
  username: root
  password:
  host: localhost
  session_key: eldorado_production
  secret:

This seems more... natural. Don't you think?

Anyway, using YAML files for app configuration is the way of the future.

Comments

Posting code? Please use Pastie.

Have a question? Please visit the Forum.

3 Comments

  1. I’m all for pushing this configuration into a yaml file, but is there any particular reason that you picked the database yaml?

    Comment by Brent on July 24, 2008

  2. Just to keep the config options in a single file. I think I’ll eventually use database.yml and config.yml for everything else (mail settings, etc). But for now, I just wanted to keep the installation instructions for my open-source app as easy as possible.

    Comment by Trevor on July 24, 2008

  3. [...] in open source project deployments). I quickly jumped to fix the code using a solution put out by Trevor Turk which requires users to set both the session key and session secret in their database.yml [...]

    Pingback by Open Source Rails projects, make sure you’re safe… | Open Sourcery on September 27, 2008