KathysKode-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org
2007-Dec-29 22:52 UTC
Action Pack: Cookie store sessions = blow up app in 2.0?
DHH writes in his new 2.0 update over view the following: The default session store in Rails 2.0 is now a cookie-based one. That means sessions are no longer stored on the file system or in the database, but kept by the client in a hashed form that can''t be forged. This makes it not only a lot faster than traditional session stores, but also makes it zero maintenance. There''s no cron job needed to clear out the sessions and your server won''t crash because you forgot and suddenly had 500K files in tmp/session. When I go into my environment.rb file and comment out the; config.action_controller.session_store = :active_record_store my application goes completely DEAD. I do have a sessions table and DID have it keeping the session in the database before. Can anyone suggest how I should proceed for my new Rails 2.0 application. Thank you, Kathleen --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---
Frederick Cheung
2007-Dec-29 23:54 UTC
Re: Action Pack: Cookie store sessions = blow up app in 2.0?
On 29 Dec 2007, at 22:52, KathysKode-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org wrote:> > DHH writes in his new 2.0 update over view the following: > > The default session store in Rails 2.0 is now a cookie-based one. That > means sessions are no longer stored on the file system or in the > database, but kept by the client in a hashed form that can''t be > forged. This makes it not only a lot faster than traditional session > stores, but also makes it zero maintenance. There''s no cron job needed > to clear out the sessions and your server won''t crash because you > forgot and suddenly had 500K files in tmp/session. > > When I go into my environment.rb file and comment out the; > > config.action_controller.session_store = :active_record_store > > my application goes completely DEAD. I do have a sessions table and > DID have it keeping the session in the database before.Have you defined a secret to use for the cookies (I expect there''s a message in your logs about it) ? You set the secret in environment.rb config.action_controller.session = { :session_key => ''_empty_app_session'', :secret => ''your secret here'' } If you generate a new app rails will create a nice long safe secret for you. You can run rake secret to get rails to generate you a nice secret. Fred> Can anyone suggest how I should proceed for my new Rails 2.0 > application. > Thank you, > Kathleen > >--~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---
Xavier Noria
2007-Dec-30 00:27 UTC
Re: Action Pack: Cookie store sessions = blow up app in 2.0?
On Dec 30, 2007, at 12:54 AM, Frederick Cheung wrote:> Have you defined a secret to use for the cookies (I expect there''s a > message in your logs about it) ? > You set the secret in environment.rb > config.action_controller.session = { > :session_key => ''_empty_app_session'', > :secret => ''your secret here'' > } > > If you generate a new app rails will create a nice long safe secret > for you. You can run > rake secret > to get rails to generate you a nice secret.In addition it is a good idea to change the name of the cookie. Otherwise the first time a user with an old session hits the site CGI::Session::CookieStore::TamperedWithCookie is raised because the cookie value looks invalid. A session ID was gotten, but now Rails expects <data>--<digest> and ensures nobody has tampered with the cookie. -- fxn --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---
On Dec 29, 2007, at 4:27 PM, Xavier Noria wrote:> In addition it is a good idea to change the name of the cookie.You mean new session_key, right? --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---
Martin Svalin
2007-Dec-30 01:25 UTC
Re: Action Pack: Cookie store sessions = blow up app in 2.0?
On Dec 30, 2007 12:54 AM, Frederick Cheung <frederick.cheung-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> wrote:> Have you defined a secret to use for the cookies (I expect there''s a > message in your logs about it) ?Hi, I ran into (probably) the same error as Kathleen did tonight. I''m using the default environment.rb, but changing the session_store to use AR as a session_store, and I get an error: "ActionController::InvalidAuthenticityToken in Products#new No :secret given to the #protect_from_forgery call." I''ve tried to reproduce it in the simplest manner I can think of. I''m running Rails 2.0.2 (on Leopard, if it makes any difference). Here''s what I do to reproduce this error: rails newapp cd newapp/ script/scaffold some_model name:string rake db:sessions:create vim config/environment.rb # (uncommenting config.action_controller.session_store :active_record_store, nothing else. :secret is set a few lines above) rake db:migrate script/server Everything seems just fine up till now. No errors on the rake tasks or anything. I clean out all cookies from localhost in Safari, and then I get visit http://localhost:3000/some_model/new and get the error. (For some reason, http://localhost:3000/some_models does not produce the error.) I''ve tried the above, using mysql as my database instead of sqlite (because I''m more comfortable on the mysql prompt), and had a look. Everything is there. The sessions table does indeed have a row after I''ve visited the url. The browser has a new cookie set from localhost. But still I get the ActionController::InvalidAuthenticityToken error. Have I done something weird? Here''s an excerpt from my config/environment.rb: # Your secret key for verifying cookie session data integrity. # If you change this key, all old sessions will become invalid! # Make sure the secret is at least 30 characters and all random, # no regular words or you''ll be exposed to dictionary attacks. config.action_controller.session = { :session_key => ''_testapp_session'', :secret => ''0a3cae420e2e43d216f641e7c84958c357eec74593bee85cb3f9a46bb9fc7f8ebe52d9f8ac5d3d429a678ce91f46336fb04e91a4f9054c164f8f258932763e59'' } # Use the database for sessions instead of the cookie-based default, # which shouldn''t be used to store highly confidential information # (create the session table with ''rake db:sessions:create'') config.action_controller.session_store = :active_record_store If it''s a bug in Rails 2.0.2, I hope this helps to confirm it. - Martin --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---
Xavier Noria
2007-Dec-30 01:50 UTC
Re: Action Pack: Cookie store sessions = blow up app in 2.0?
On Dec 30, 2007, at 1:41 AM, s.ross wrote:> On Dec 29, 2007, at 4:27 PM, Xavier Noria wrote: > >> In addition it is a good idea to change the name of the cookie. > > You mean new session_key, right?That''s it. -- fxn --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---
Rick Olson
2007-Dec-30 03:00 UTC
Re: Action Pack: Cookie store sessions = blow up app in 2.0?
> "ActionController::InvalidAuthenticityToken in Products#new > No :secret given to the #protect_from_forgery call."That''s the error message. Check your application.rb file It generates a secret, but comments it out because it can use the CookieSessionStore secret. -- Rick Olson http://lighthouseapp.com http://weblog.techno-weenie.net http://mephistoblog.com --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---
Martin Svalin
2007-Dec-30 09:14 UTC
Re: Action Pack: Cookie store sessions = blow up app in 2.0?
On Dec 30, 2007 4:00 AM, Rick Olson <technoweenie-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> wrote:> That''s the error message. Check your application.rb file It > generates a secret, but comments it out because it can use the > CookieSessionStore secret. >Thank you, that solved the problem. I thought it used the :secret in config.action_controller.session... Maybe I''ll get around to submitting a patch on the comments in environment.rb, giving a hint about the :secret in application.rb in the comment for config.action_controller.session_store :active_record_store. :) - Martin --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---
mel ram
2008-Jan-18 03:18 UTC
Re: Action Pack: Cookie store sessions = blow up app in 2.0?
That worked for me as well. On Dec 29 2007, 7:00 pm, "Rick Olson" <technowee...-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> wrote:> > "ActionController::InvalidAuthenticityToken in Products#new > >No:secretgivento the #protect_from_forgerycall." > > That''s the error message. Check your application.rb file It > generates asecret, but comments it out because it can use the > CookieSessionStoresecret. > > -- > Rick Olsonhttp://lighthouseapp.comhttp://weblog.techno-weenie.nethttp://mephistoblog.com--~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---
I am just starting to learn Ruby on Rails, I will be really grateful if someone can tell me what do I have wrong in my files because it gives me the next error: " ActionController::InvalidAuthenticityToken in Store#index" The content of my files are: Environment.rb: " # Be sure to restart your server when you modify this file # Uncomment below to force Rails into production mode when # you don''t control web/app server and can''t set it the proper way # ENV[''RAILS_ENV''] ||= ''production'' # Specifies gem version of Rails to use when vendor/rails is not present RAILS_GEM_VERSION = ''2.0.2'' unless defined? RAILS_GEM_VERSION # Bootstrap the Rails environment, frameworks, and default configuration require File.join(File.dirname(__FILE__), ''boot'') Rails::Initializer.run do |config| # Settings in config/environments/* take precedence over those specified here. # Application configuration should go into files in config/ initializers # -- all .rb files in that directory are automatically loaded. # See Rails::Configuration for more options. # Skip frameworks you''re not going to use (only works if using vendor/rails). # To use Rails without a database, you must remove the Active Record framework # config.frameworks -[ :active_record, :active_resource, :action_mailer ] # Only load the plugins named here, in the order given. By default, all plugins # in vendor/plugins are loaded in alphabetical order. # :all can be used as a placeholder for all plugins not explicitly named # config.plugins [ :exception_notification, :ssl_requirement, :all ] # Add additional load paths for your own custom dirs # config.load_paths += %W( #{RAILS_ROOT}/extras ) # Force all environments to use the same logger level # (by default production uses :info, the others :debug) # config.log_level = :debug # Your secret key for verifying cookie session data integrity. # If you change this key, all old sessions will become invalid! # Make sure the secret is at least 30 characters and all random, # no regular words or you''ll be exposed to dictionary attacks. config.action_controller.session = { :session_key => ''_depot_session'', :secret => ''2eae1bebb00c0983fdf1c7a908cc59dd992d3096449a07e432589e604ae164081eb4a1ce9e387c925fead854e6c586e17b2b56d68cf0b3dec4a8b7ff32aabc9e'' } # Use the database for sessions instead of the cookie-based default, # which shouldn''t be used to store highly confidential information # (create the session table with ''rake db:sessions:create'') config.action_controller.session_store = :active_record_store # Use SQL instead of Active Record''s schema dumper when creating the test database. # This is necessary if your schema can''t be completely dumped by the schema dumper, # like if you have constraints or database-specific column types # config.active_record.schema_format = :sql # Activate observers that should always be running # config.active_record.observers = :cacher, :garbage_collector # Make Active Record use UTC-base instead of local time # config.active_record.default_timezone = :utc end" application.rb: "# Filters added to this controller apply to all controllers in the application. # Likewise, all the methods added will be available for all controllers. class ApplicationController < ActionController::Base # helper :all # include all helpers, all the time # See ActionController::RequestForgeryProtection for details # Uncomment the :secret if you''re not using the cookie session store # Pick a unique cookie name to distinguish our session data from others'' session :session_key => ''_depot_session'' protect_from_forgery :secret => ''2eae1bebb00c0983fdf1c7a908cc59dd992d3096449a07e432589e604ae164081eb4a1ce9e387c925fead854e6c586e17b2b56d68cf0b3dec4a8b7ff32aabc9e'' end" Thanks in advance. Belén On 18 ene, 04:18, mel ram <mel...-IA9i2KS8NFBpEKysQ+xqfPpXobYPEAuW@public.gmane.org> wrote:> That worked for me as well. > > On Dec 29 2007, 7:00 pm, "Rick Olson" <technowee...-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> wrote: > > > > "ActionController::InvalidAuthenticityToken in Products#new > > >No:secretgivento the #protect_from_forgerycall." > > > That''s the error message. Check your application.rb file It > > generates asecret, but comments it out because it can use the > > CookieSessionStoresecret. > > > -- > > Rick Olsonhttp://lighthouseapp.comhttp://weblog.techno-weenie.nethttp://mephist...--~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe@googlegroups.com For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---
Frederick Cheung
2008-Feb-10 18:11 UTC
Re: Action Pack: Cookie store sessions = blow up app in 2.0?
On 10 Feb 2008, at 11:22, Belén wrote:> > I am just starting to learn Ruby on Rails, I will be really grateful > if someone can tell me what do I have wrong in my files because it > gives me the next error: > " ActionController::InvalidAuthenticityToken in Store#index"How are you creating your forms? If you''re not using the rails helpers, you''ll need to use token_tag to add the authenticity token. Fred --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe@googlegroups.com For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---
Wha do you mean with the forms? On 10 feb, 19:11, Frederick Cheung <frederick.che...-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> wrote:> On 10 Feb 2008, at 11:22, Belén wrote: > > > > > I am just starting to learn Ruby on Rails, I will be really grateful > > if someone can tell me what do I have wrong in my files because it > > gives me the next error: > > " ActionController::InvalidAuthenticityToken in Store#index" > > How are you creating your forms? If you''re not using the rails > helpers, you''ll need to use token_tag to add the authenticity token. > > Fred--~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe@googlegroups.com For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---
Frederick Cheung
2008-Feb-10 21:07 UTC
Re: Action Pack: Cookie store sessions = blow up app in 2.0?
On 10 Feb 2008, at 18:31, Belén wrote:> > Wha do you mean with the forms?if you''re just writing <form ...> </form> Then the token won''t be magically added for you if you are using form_for, form_tag etc... then it will Fred> > > On 10 feb, 19:11, Frederick Cheung <frederick.che...-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> wrote: >> On 10 Feb 2008, at 11:22, Belén wrote: >> >> >> >>> I am just starting to learn Ruby on Rails, I will be really grateful >>> if someone can tell me what do I have wrong in my files because it >>> gives me the next error: >>> " ActionController::InvalidAuthenticityToken in Store#index" >> >> How are you creating your forms? If you''re not using the rails >> helpers, you''ll need to use token_tag to add the authenticity token. >> >> Fred > >--~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe@googlegroups.com For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---
I have solved the problem! Thanks for your help!!! I was not writing <form>. Belénn On 10 feb, 22:07, Frederick Cheung <frederick.che...-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> wrote:> On 10 Feb 2008, at 18:31, Belén wrote: > > > > > Wha do you mean with the forms? > > if you''re just writing > > <form ...> > > </form> > Then the token won''t be magically added for you > if you are using form_for, form_tag etc... then it will > > Fred > > > > > On 10 feb, 19:11, Frederick Cheung <frederick.che...-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> wrote: > >> On 10 Feb 2008, at 11:22, Belén wrote: > > >>> I am just starting to learn Ruby on Rails, I will be really grateful > >>> if someone can tell me what do I have wrong in my files because it > >>> gives me the next error: > >>> " ActionController::InvalidAuthenticityToken in Store#index" > > >> How are you creating your forms? If you''re not using the rails > >> helpers, you''ll need to use token_tag to add the authenticity token. > > >> Fred--~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe@googlegroups.com For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---