about summary refs log tree commit diff
diff options
context:
space:
mode:
authorEugen Rochko <eugen@zeonfederated.com>2017-07-07 23:25:15 +0200
committerGitHub <noreply@github.com>2017-07-07 23:25:15 +0200
commit00df69bc89f1b5ffdf290bde8359b3854e2b1395 (patch)
tree3d5fff003bc5fb0c6e8922451532eb158d262f05
parent7a549f830e0d77af3020243617c5ab8bd811fd8d (diff)
Fix #4058 - Use a long-lived cookie to keep track of user-level sessions (#4091)
* Fix #4058 - Use a long-lived cookie to keep track of user-level sessions

* Fix tests, smooth migrate from previous session-based identifier
-rw-r--r--app/controllers/application_controller.rb2
-rw-r--r--config/initializers/devise.rb20
-rw-r--r--spec/rails_helper.rb11
3 files changed, 25 insertions, 8 deletions
diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb
index 865fcd125..b3c2db02b 100644
--- a/app/controllers/application_controller.rb
+++ b/app/controllers/application_controller.rb
@@ -70,7 +70,7 @@ class ApplicationController < ActionController::Base
   end
 
   def current_session
-    @current_session ||= SessionActivation.find_by(session_id: session['auth_id'])
+    @current_session ||= SessionActivation.find_by(session_id: cookies.signed['_session_id'])
   end
 
   def cache_collection(raw, klass)
diff --git a/config/initializers/devise.rb b/config/initializers/devise.rb
index d51471d30..bf61ea0ea 100644
--- a/config/initializers/devise.rb
+++ b/config/initializers/devise.rb
@@ -1,17 +1,29 @@
 Warden::Manager.after_set_user except: :fetch do |user, warden|
-  SessionActivation.deactivate warden.raw_session['auth_id']
-  warden.raw_session['auth_id'] = user.activate_session(warden.request)
+  SessionActivation.deactivate warden.cookies.signed['_session_id']
+
+  warden.cookies.signed['_session_id'] = {
+    value: user.activate_session(warden.request),
+    expires: 1.year.from_now,
+    httponly: true,
+  }
 end
 
 Warden::Manager.after_fetch do |user, warden|
-  unless user.session_active?(warden.raw_session['auth_id'])
+  if user.session_active?(warden.cookies.signed['_session_id'] || warden.raw_session['auth_id'])
+    warden.cookies.signed['_session_id'] = {
+      value: warden.cookies.signed['_session_id'] || warden.raw_session['auth_id'],
+      expires: 1.year.from_now,
+      httponly: true,
+    }
+  else
     warden.logout
     throw :warden, message: :unauthenticated
   end
 end
 
 Warden::Manager.before_logout do |_, warden|
-  SessionActivation.deactivate warden.raw_session['auth_id']
+  SessionActivation.deactivate warden.cookies.signed['_session_id']
+  warden.cookies.delete('_session_id')
 end
 
 Devise.setup do |config|
diff --git a/spec/rails_helper.rb b/spec/rails_helper.rb
index 9a4c8fd3c..4f7399505 100644
--- a/spec/rails_helper.rb
+++ b/spec/rails_helper.rb
@@ -20,11 +20,16 @@ Sidekiq::Logging.logger = nil
 Devise::Test::ControllerHelpers.module_eval do
   alias_method :original_sign_in, :sign_in
 
-  def sign_in(resource, deprecated = nil, scope: nil)
+  def sign_in(resource, _deprecated = nil, scope: nil)
     original_sign_in(resource, scope: scope)
 
-    SessionActivation.deactivate warden.raw_session["auth_id"]
-    warden.raw_session["auth_id"] = resource.activate_session(warden.request)
+    SessionActivation.deactivate warden.cookies.signed['_session_id']
+
+    warden.cookies.signed['_session_id'] = {
+      value: resource.activate_session(warden.request),
+      expires: 1.year.from_now,
+      httponly: true,
+    }
   end
 end