#244
- Created on2006-04-01 07:16
- Reported by
- StatusFixed
- PriorityNormal (3)
- Assigned to
- Milestone-
- Plan Level-
- Due Date-
session is too large
session file created in tmp/sessions is 87K. Should be much smaller. I think this is preventing me from using active_record_session_store as well.
Leave a comment
I came across this page while researching this ticket:
http://wiki.rubyonrails.org/rails/pages/HowtoAvoidSessionRestoreError
According to it:
Seems like a change like this would resolve this ticket, and also address the issues raised on the wiki page.
http://wiki.rubyonrails.org/rails/pages/HowtoAvoidSessionRestoreError
According to it:
It’s important that you don’t store the User object in the session, for security reasons. If the User is later deleted, or has its attributes changed, you run the risk of the session containing a stale object. This is particularly a problem if your application isn’t the only accessor of the database.Seems like a change like this would resolve this ticket, and also address the issues raised on the wiki page.
The patch I'll attach here is a little less focused than my usual fare, so I thought it deserves a more detailed explanation than usual.
The patch makes a few changes:
Instead of the user object being stored in the session, the user_id is stored. This keeps the session much smaller. For some reason, in my case, the user model object AND it's associations (lots of projects and contexts) were being persisted. That was the cause of the error I was seeing. The data was getting truncated on insert into the session table, so it couldn't be unmarshalled back out successfully. This includes a change to lib/login_system.rb.
I removed unnecessary code that sets @user from the session. This needs to happen with every request. and it does: in before_filter of the base application controller (which calls the get_current_user method). Since every controller extends from that one, the @user instance variable should always be available if there is a logged in session.
I replaced references to "@session" with "session", per DHH's recommendation:
"Direct access to these instance variables is deprecated. The same goes
for cookies, session, request, response, and the other accessors. Use
the accessor instead of going directly, so it's request.get? instead
of @request.get?."
source: http://groups.google.com/group/comp.lang.ruby/msg/9dd520d8b6d6a47d?hl=en&
I ran into warnings with constants within time and redcloth being redefined. I eliminated them by modifying app/controllers/application.rb. Instead of require 'Time' with a capital T, I made the 't' lowercase. This keeps it consistent with the require 'time' in vendor/rails/actionwebservice/lib/action_web_service/casting.rb. For the redcloth error, I changed the require_dependency to a require and that eliminated the errors. I understand that require_dependency is supposed to aid in development, but I suspect it may be in conflict with the 'require_library_or_gem "redcloth"' in vendor/rails/actionpack/lib/action_view/helpers/text_helper.rb.
For the most part, the net effect is simpler code, which leads me to believe it's a good patch. Feedback appreciated!
The patch makes a few changes:
Instead of the user object being stored in the session, the user_id is stored. This keeps the session much smaller. For some reason, in my case, the user model object AND it's associations (lots of projects and contexts) were being persisted. That was the cause of the error I was seeing. The data was getting truncated on insert into the session table, so it couldn't be unmarshalled back out successfully. This includes a change to lib/login_system.rb.
I removed unnecessary code that sets @user from the session. This needs to happen with every request. and it does: in before_filter of the base application controller (which calls the get_current_user method). Since every controller extends from that one, the @user instance variable should always be available if there is a logged in session.
I replaced references to "@session" with "session", per DHH's recommendation:
"Direct access to these instance variables is deprecated. The same goes
for cookies, session, request, response, and the other accessors. Use
the accessor instead of going directly, so it's request.get? instead
of @request.get?."
source: http://groups.google.com/group/comp.lang.ruby/msg/9dd520d8b6d6a47d?hl=en&
I ran into warnings with constants within time and redcloth being redefined. I eliminated them by modifying app/controllers/application.rb. Instead of require 'Time' with a capital T, I made the 't' lowercase. This keeps it consistent with the require 'time' in vendor/rails/actionwebservice/lib/action_web_service/casting.rb. For the redcloth error, I changed the require_dependency to a require and that eliminated the errors. I understand that require_dependency is supposed to aid in development, but I suspect it may be in conflict with the 'require_library_or_gem "redcloth"' in vendor/rails/actionpack/lib/action_view/helpers/text_helper.rb.
For the most part, the net effect is simpler code, which leads me to believe it's a good patch. Feedback appreciated!
on 2006-04-01 19:56 *
By Anonymous
Attachment lmelia_user_id_in_session.patch added
Attachment lmelia_user_id_in_session.patch added
<a href='http://www.assembla.com/spaces/tracks-tickets/documents/aH5eNA0S4r3yeuab7jnrAJ'>lmelia_user_id_in_session.patch</a>: