Class: ActiveRecord::SessionStore::Session

Inherits:
Base
  • Object
show all
Extended by:
ClassMethods
Defined in:
lib/active_record/session_store/session.rb

Overview

The default Active Record class.

Constant Summary collapse

SEMAPHORE =
Mutex.new

Class Method Summary collapse

Instance Method Summary collapse

Methods included from ClassMethods

create_table!, deserialize, drop_table!, serialize, serializer_class

Constructor Details

#initializeSession

Returns a new instance of Session.



61
62
63
64
# File 'lib/active_record/session_store/session.rb', line 61

def initialize(*)
  @data = nil
  super
end

Class Method Details

.data_column_size_limitObject



21
22
23
# File 'lib/active_record/session_store/session.rb', line 21

def data_column_size_limit
  @data_column_size_limit ||= columns_hash[data_column_name].limit
end

.find_by_session_id(session_id) ⇒ Object

Hook to set up sessid compatibility.



26
27
28
29
# File 'lib/active_record/session_store/session.rb', line 26

def find_by_session_id(session_id)
  SEMAPHORE.synchronize { setup_sessid_compatibility! }
  find_by_session_id(session_id)
end

Instance Method Details

#dataObject

Lazy-deserialize session state.



67
68
69
# File 'lib/active_record/session_store/session.rb', line 67

def data
  @data ||= self.class.deserialize(read_attribute(@@data_column_name)) || {}
end

#data=(data) ⇒ Object



71
72
73
74
# File 'lib/active_record/session_store/session.rb', line 71

def data=(data)
  attribute_will_change!(@@data_column_name) if data != self.data
  @data = data
end

#data_column_nameObject

:singleton-method: Customizable data column name. Defaults to 'data'.



14
# File 'lib/active_record/session_store/session.rb', line 14

cattr_accessor :data_column_name

#loaded?Boolean

Has the session been loaded yet?

Returns:

  • (Boolean)


77
78
79
# File 'lib/active_record/session_store/session.rb', line 77

def loaded?
  @data
end

#secure!Object

This method was introduced when addressing CVE-2019-16782 (see https://github.com/rack/rack/security/advisories/GHSA-hrqr-hxpp-chr3). Sessions created on version <= 1.1.3 were guessable via a timing attack. To secure sessions created on those old versions, this method can be called on all existing sessions in the database. Users will not lose their session when this is done.



87
88
89
90
91
92
93
94
95
96
97
98
99
100
# File 'lib/active_record/session_store/session.rb', line 87

def secure!
  session_id_column = if self.class.columns_hash['sessid']
    :sessid
  else
    :session_id
  end
  raw_session_id = read_attribute(session_id_column)
  if ActionDispatch::Session::ActiveRecordStore.private_session_id?(raw_session_id)
    # is already private, nothing to do
  else
    session_id_object = Rack::Session::SessionId.new(raw_session_id)
    update_column(session_id_column, session_id_object.private_id)
  end
end