Rails 3 additional session configuration options (key, expires_after, secure)

Question

Can someone point out what the new Rails 3.x session configuration options are?

I\'m trying to duplicate the same configuration that I have in my Rails 2.3.x applica

Answer 1

You now configure the Cookie-based session store through an initializer, probably in config/initializers/session_store.rb. In Rails 3 the session store is a piece of middleware, and the configuration options are passed in with a single call to config.session_store:

Your::Application.config.session_store :cookie_store, :key => '_session'

You can put any extra options you want in the hash with :key, e.g.

Your::Application.config.session_store :cookie_store, {
  :key =>           '_session_id',
  :path =>          '/',
  :domain =>        nil,
  :expire_after =>  nil,
  :secure =>        false,
  :httponly =>      true,
  :cookie_only =>   true
}

(Those are just the standard defaults)

If you force SSL in production then setting secure on the cookie shouldn't really make a difference in practice, but you might want to set it just to be on the safe side...

Your::Application.config.session_store :cookie_store, {
  :key =>           '_session_id',
  :secure =>        Rails.env.production?
}