Class: ActiveRecord::SessionStore::Session

Inherits:

Base

Object
Base
ActiveRecord::SessionStore::Session

show all

Extended by:: ClassMethods

Defined in:: lib/active_record/session_store/session.rb

Overview

The default Active Record class.

Constant Summary collapse

SEMAPHORE =

Mutex.new

Instance Attribute Summary collapse

#data ⇒ Object

Lazy-deserialize session state.

Class Method Summary collapse

.data_column_size_limit ⇒ Object
.find_by_session_id(session_id) ⇒ Object

Hook to set up sessid compatibility.

Instance Method Summary collapse

#data_column_name ⇒ Object

:singleton-method: Customizable data column name.
#initialize ⇒ Session constructor

A new instance of Session.
#loaded? ⇒ Boolean

Has the session been loaded yet?.
#secure! ⇒ Object

This method was introduced when addressing CVE-2019-16782 (see github.com/rack/rack/security/advisories/GHSA-hrqr-hxpp-chr3).

Methods included from ClassMethods

create_table!, deserialize, drop_table!, serialize, serializer_class

Constructor Details

#initialize ⇒ `Session`

Returns a new instance of Session.

# File 'lib/active_record/session_store/session.rb', line 57

def initialize(*)
  @data = nil
  super
end

Instance Attribute Details

#data ⇒ `Object`

Lazy-deserialize session state.



63
64
65

# File 'lib/active_record/session_store/session.rb', line 63

def data
  @data ||= self.class.deserialize(read_attribute(@@data_column_name)) || {}
end

Class Method Details

.data_column_size_limit ⇒ `Object`



21
22
23

# File 'lib/active_record/session_store/session.rb', line 21

def data_column_size_limit
  @data_column_size_limit ||= columns_hash[data_column_name].limit
end

.find_by_session_id(session_id) ⇒ `Object`

Hook to set up sessid compatibility.

# File 'lib/active_record/session_store/session.rb', line 26

def find_by_session_id(session_id)
  SEMAPHORE.synchronize { setup_sessid_compatibility! }
  find_by_session_id(session_id)
end

Instance Method Details

#data_column_name ⇒ `Object`

:singleton-method: Customizable data column name. Defaults to ‘data’.

14	# File 'lib/active_record/session_store/session.rb', line 14 cattr_accessor :data_column_name

#loaded? ⇒ `Boolean`

Has the session been loaded yet?

Returns:

(Boolean)



70
71
72

# File 'lib/active_record/session_store/session.rb', line 70

def loaded?
  @data
end

#secure! ⇒ `Object`

This method was introduced when addressing CVE-2019-16782 (see github.com/rack/rack/security/advisories/GHSA-hrqr-hxpp-chr3). Sessions created on version <= 1.1.3 were guessable via a timing attack. To secure sessions created on those old versions, this method can be called on all existing sessions in the database. Users will not lose their session when this is done.

# File 'lib/active_record/session_store/session.rb', line 80

def secure!
  session_id_column = if self.class.columns_hash['sessid']
    :sessid
  else
    :session_id
  end
  raw_session_id = read_attribute(session_id_column)
  if ActionDispatch::Session::ActiveRecordStore.private_session_id?(raw_session_id)
    # is already private, nothing to do
  else
    session_id_object = Rack::Session::SessionId.new(raw_session_id)
    update_column(session_id_column, session_id_object.private_id)
  end
end