Ruby rails: sessions

From wikinotes
Revision as of 22:33, 1 September 2021 by Will (talk | contribs) (→‎Cookies)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)

Documentation

cookies https://guides.rubyonrails.org/action_controller_overview.html#cookies
authentication https://guides.rubyonrails.org/action_controller_overview.html#http-authentications
streams/file downloads https://guides.rubyonrails.org/action_controller_overview.html#streaming-and-file-downloads

Tutorials

rails 6 cookies https://binarysolo.chapter24.blog/demystifying-cookies-in-rails-6/
rails 4 cookies http://big-elephants.com/2014-01/handling-rails-4-sessions-with-go/

Cache

TODO:

this

ActiveRecord

TODO:

this

MemCache

TODO:

this

Cookies

Cookie Types

Basics

cookies[:mycookie] = "value"  # Set-Cookie: mycookie=value; path=/; SameSite=Lax

cookies.delete(:mycookie)

cookies[:mycookie] = {
  value: "value",
  expires: 1.year,
  secure: true,
  httponly: true,
}

Signed Cookies

cookies.signed[:signed_cookie] = "value"
# cookie       == "${bas64_json_message}--${sha1_hash_of_message}"
# message_json == { _rails: { message: "base64_json_value", exp: nil, pur: "cookie.user_id" } }
# value        == "abcd"

Message created using MessageVerifier

Encryted Cookies

cookies.encrypted[:encrypted_cookie] = "value"

Config

See documentation for action_dispatch configuration

  • cipher (algorithm to encrypt text)
  • digest (normally the hashed text, but in this case the algorithm used to produce the hash)
  • salt (random text prepended to secret before hashing for additional security)
# arbitrary string, combined with a salt when hashing signed cookies
Rails.application.config.action_dispatch.secret_key_base = 'myawesomesecret'

# hash algorithm used in X cookie type
# ( see avail digests https://docs.ruby-lang.org/en/master/OpenSSL/Digest.html )
Rails.application.config.action_dispatch.cookies_digest       = 'SHA512'
Rails.application.config.action_dispatch.signed_cookie_digest = 'SHA512'
Rails.application.config.action_dispatch.cookies_digest       = 'SHA512'

# appended to the value, before hashing
# ( a fixed string, hashed with the cookie - shared by all cookies )
# ( ? shouldn't we use a different salt for all passwords? )
Rails.application.config.action_dispatch.signed_cookie_salt                  = 'abcdefg'
Rails.application.config.action_dispatch.encrypted_cookie_salt               = 'abcdefg'
Rails.application.config.action_dispatch.encrypted_signed_cookie_salt        = 'abcdefg'
Rails.application.config.action_dispatch.authenticated_encrypted_cookie_salt = 'abcdefg'

# there are also some other options
# see https://edgeguides.rubyonrails.org/configuring.html#configuring-action-dispatch
Rails.application.config.action_dispatch.use_authenticated_cookie_encryption
Rails.application.config.action_dispatch.use_cookies_with_metadata
Rails.application.config.action_dispatch.cookies_rotation
Rails.application.config.action_dispatch.encrypted_cookie_cipher
Retrieved from "http://willpittman.net:8080/index.php?title=Ruby_rails:_sessions&oldid=26911"