commit: 00df69bc89f1b5ffdf290bde8359b3854e2b1395
parent: 7a549f830e0d77af3020243617c5ab8bd811fd8d
Author: Eugen Rochko <eugen@zeonfederated.com>
Date: Fri, 7 Jul 2017 23:25:15 +0200
Fix #4058 - Use a long-lived cookie to keep track of user-level sessions (#4091)
* Fix #4058 - Use a long-lived cookie to keep track of user-level sessions
* Fix tests, smooth migrate from previous session-based identifier
Diffstat:
3 files changed, 25 insertions(+), 8 deletions(-)
diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb
@@ -70,7 +70,7 @@ class ApplicationController < ActionController::Base
end
def current_session
- @current_session ||= SessionActivation.find_by(session_id: session['auth_id'])
+ @current_session ||= SessionActivation.find_by(session_id: cookies.signed['_session_id'])
end
def cache_collection(raw, klass)
diff --git a/config/initializers/devise.rb b/config/initializers/devise.rb
@@ -1,17 +1,29 @@
Warden::Manager.after_set_user except: :fetch do |user, warden|
- SessionActivation.deactivate warden.raw_session['auth_id']
- warden.raw_session['auth_id'] = user.activate_session(warden.request)
+ SessionActivation.deactivate warden.cookies.signed['_session_id']
+
+ warden.cookies.signed['_session_id'] = {
+ value: user.activate_session(warden.request),
+ expires: 1.year.from_now,
+ httponly: true,
+ }
end
Warden::Manager.after_fetch do |user, warden|
- unless user.session_active?(warden.raw_session['auth_id'])
+ if user.session_active?(warden.cookies.signed['_session_id'] || warden.raw_session['auth_id'])
+ warden.cookies.signed['_session_id'] = {
+ value: warden.cookies.signed['_session_id'] || warden.raw_session['auth_id'],
+ expires: 1.year.from_now,
+ httponly: true,
+ }
+ else
warden.logout
throw :warden, message: :unauthenticated
end
end
Warden::Manager.before_logout do |_, warden|
- SessionActivation.deactivate warden.raw_session['auth_id']
+ SessionActivation.deactivate warden.cookies.signed['_session_id']
+ warden.cookies.delete('_session_id')
end
Devise.setup do |config|
diff --git a/spec/rails_helper.rb b/spec/rails_helper.rb
@@ -20,11 +20,16 @@ Sidekiq::Logging.logger = nil
Devise::Test::ControllerHelpers.module_eval do
alias_method :original_sign_in, :sign_in
- def sign_in(resource, deprecated = nil, scope: nil)
+ def sign_in(resource, _deprecated = nil, scope: nil)
original_sign_in(resource, scope: scope)
- SessionActivation.deactivate warden.raw_session["auth_id"]
- warden.raw_session["auth_id"] = resource.activate_session(warden.request)
+ SessionActivation.deactivate warden.cookies.signed['_session_id']
+
+ warden.cookies.signed['_session_id'] = {
+ value: resource.activate_session(warden.request),
+ expires: 1.year.from_now,
+ httponly: true,
+ }
end
end