Skip to content

Instantly share code, notes, and snippets.

@jcrossley3
Created July 27, 2010 16:58
Show Gist options
  • Save jcrossley3/492505 to your computer and use it in GitHub Desktop.
Save jcrossley3/492505 to your computer and use it in GitHub Desktop.

<adamw1pl> all session data is stored in the java session, right? that’s what the servlet_session.rb seems to do <bobmcw> yep <bobmcw> we try to decompose it into java-session key/value pairs, where we can [10:43] <bobmcw> and make them all accessible from your java side <bobmcw> session[:answer]=42 <bobmcw> session.get( “answer” ) => 42 java.lang.Integer <adamw1pl> ok cool <adamw1pl> so … <adamw1pl> the session store config in ruby doesn’t matter <adamw1pl> right? <bobmcw> oh, we did something there <bobmcw> I think by default, you get the magic java-linked session store [10:44] <bobmcw> but I’m not 100% sure <bobmcw> you may have to enable it as a non-default session store, but I don’t recall how right off hand <bobmcw> perhaps :java as a value <bobmcw> poke around in the code, let me know what you find <bobmcw> or jc3 might be able to help poke and answer it [10:45] <adamw1pl> well there’s only the JSESSIONID cookie <adamw1pl> even though I have the cookie store configured <adamw1pl> so it’s probably as you say [10:46] <adamw1pl> so … the session checking with the secret key isn’t really necessary, right? <bobmcw> yah, we piggyback on JSESSIONID [10:47] <bobmcw> we have to do some magic, though, for XSS and form submissions <bobmcw> so I guess the secret key might not be needed <bobmcw> you should be able to override the session store still, I think <bobmcw> if you want to do just cookie store <adamw1pl> heh no, I’m fine with how it is, just trying to understand [10:48] <adamw1pl> ok, another question - you don’t know why there’s one java session when I first enter the page, and then when I refresh I get another one? (subsequent requests return the same one) [10:49] <bbrowning> Looks like in Rails 2.3x the session store is forced to JBoss::Session::Servlet [10:51] <bbrowning> http://github.com/torquebox/torquebox/blob/master/components/rails/rails-core/src/main/java/org/torquebox/rails/core/rails_init.rb#L74 <bobmcw> bbrowning: I think adam’s on b19, but that should be un-changed, yah <bbrowning> bobmcw: ahh yeah good point <bobmcw> adamw1pl: not sure what’s up… do you end up having 2 jsessionid cookies? <adamw1pl> b20 [10:52] <bobmcw> or does one disappear? <adamw1pl> nope, just one <bobmcw> probably a mis-use of getSession(true) by torquebox <adamw1pl> so all works fine after the first page hist <bobmcw> I recall there’s some valid reason, though, involving the XSS/form-security stuff <adamw1pl> hit <bobmcw> if first page has a form you submit, does it fail? <bobmcw> jc3: ^^ integration test candidate <adamw1pl> form works I think [10:53] <adamw1pl> if I get the authenticity token by myself it doesn’t ;)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment