Save the session id encrypted in a cookie. This makes it difficult for potential hackers to modify cookie contents. They will still be able to see how the session id is generated in the gem's source code, but can't guess the sequence because the session id is encrypted.

We can use encrypted cookies as Rails does by adding the logic from the Rails encrypted CookieStore.

This uses the secret_token and secret_key_base values as saved in config/initializers/secret_token.rb for encryption.

This adds quite a bit more code to the code base and requires additional testing of course. I would copy most of the tests from the Rails test suite.

Whoever wants to pick this up is free to do so :)

Extracted from #23

I suggest kicking those rubies < 2.3.1 out. It's all the same. 2.4.0 introduces some breaking things though.

Description

On https://github.com/mongoid/mongo_session_store/ the repo description is outdated:

Rails session store class implemented for MongoMapper and Mongoid

This should be something along the lines of:

MongoSessionStore is a Rails-compatible session store for MongoDB using either Mongoid or the MongoDB Ruby Driver. It also allows for custom Mongo session store that works with any (or no!) Mongo ODM.

The tags should be: mongoid, mongodb, rails, session-management, session-store

Url

The repo description also links to http://boldr.net/rails-sessions-mongodb. The link is dead, so is its parent website.

Can someone update this to have no link, link the repo itself (which seem redundant) or link to the mongoid community page?

@dblock could you help?

I contacted Github support to detach this fork from https://github.com/mongoid/mongo_session_store.

The current implementation of the gem sets the session_id of the session in a cookie in plain text. A person could sign in as a any user as long as they know the session id and set a cookie with this id.

// Paste in console of a browser that's not signed in
// and replace {session_id} with the contents of your browser's _session_id cookie
document.cookie="_session_id={session_id}; path=/";

This upon itself is an issue. It gets worse because the session id generated is using BSON::ObjectId. BSON::ObjectId is mostly sequential and would be guessable or at least bruteforceable. https://docs.mongodb.com/v3.2/reference/method/ObjectId/

Solutions

Use more random session_ids

We could favor SecureRandom.uuid for generating session ids, even use it in combination with MongoDB uuids. Or use what Rails uses as a default SecureRandom.hex(16). These alternative primary keys are more random, could still theoretically be bruteforcable, but very unlikely.

Using non optimized data types increases the index size, but does still work and enforces a unique primary key for the document collection.

This approach is used by the activerecord-session_store and sequel-rails alternatives.

Encrypted cookies

Save the session id encrypted in a cookie. This makes it difficult for potential hackers to modify cookie contents. They will still be able to see how the session id is generated in the gem's source code, but can't guess the sequence because the session id is encrypted.

We can use encrypted cookies as Rails does by adding the logic from the Rails encrypted CookieStore.

This uses the secret_token and secret_key_base values as saved in config/initializers/secret_token.rb for encryption.

This adds quite a bit more code to the code base and requires additional testing of course. I would copy most of the tests from the Rails test suite.

WDYT?

WDYT? Let me know what options we favor?
Personally I'm even thinking of using both. Starting with just "Use more random session_ids" and adding encrypted cookies later.

Support for jRuby and Rubinius was added by Brian Hempel in his fork. It wasn't merged in PR #13 after updates in my fork. Will try to add support later.

• Add support for jRuby
• Add support for Rubinius
• Fix any issues that might occur
• Add tests to TravisCI matrix

Hi,

I'm getting this error when using mongo_session_store with devise. I tried with both mongo_mapper and mongoid and both hit the same problem. when trying to login, it hit the following stack trace.

I'm not sure why warden is calling destroy during login in. I tried to add destroy(env) with empty method to mongo_session_store's mongo_mapper and mongo_id's code, it stopped the warning but devise doesn't think a user has logged in when he is.

Anyone has any suggestions on how to fix this?

Thanks,
Wei

destroy needs to be implemented.

Application Trace | Framework Trace | Full Trace
actionpack (3.0.3) lib/action_dispatch/middleware/session/abstract_store.rb:252:in destroy' actionpack (3.0.3) lib/action_dispatch/middleware/session/abstract_store.rb:105:insend'
actionpack (3.0.3) lib/action_dispatch/middleware/session/abstract_store.rb:105:in destroy' devise (1.1.5) lib/devise/rails/warden_compat.rb:106:inreset_session'
devise (1.1.5) lib/devise/rails/warden_compat.rb:117
warden (1.0.2) lib/warden/hooks.rb:14:in call' warden (1.0.2) lib/warden/hooks.rb:14:in_run_callbacks'
warden (1.0.2) lib/warden/hooks.rb:9:in each' warden (1.0.2) lib/warden/hooks.rb:9:in_run_callbacks'
warden (1.0.2) lib/warden/manager.rb:53:in _run_callbacks' warden (1.0.2) lib/warden/proxy.rb:164:inset_user'
warden (1.0.2) lib/warden/proxy.rb:275:in _perform_authentication' warden (1.0.2) lib/warden/proxy.rb:113:inauthenticate!'
devise (1.1.5) app/controllers/devise/sessions_controller.rb:13:in create' actionpack (3.0.3) lib/action_controller/metal/implicit_render.rb:4:insend_action'
actionpack (3.0.3) lib/action_controller/metal/implicit_render.rb:4:in send_action' actionpack (3.0.3) lib/abstract_controller/base.rb:151:inprocess_action'
actionpack (3.0.3) lib/action_controller/metal/rendering.rb:11:in process_action' actionpack (3.0.3) lib/abstract_controller/callbacks.rb:18:inprocess_action'
activesupport (3.0.3) lib/active_support/callbacks.rb:440:in _run__1010667671__process_action__1623385099__callbacks' activesupport (3.0.3) lib/active_support/callbacks.rb:409:insend'
activesupport (3.0.3) lib/active_support/callbacks.rb:409:in _run_process_action_callbacks' activesupport (3.0.3) lib/active_support/callbacks.rb:93:insend'
activesupport (3.0.3) lib/active_support/callbacks.rb:93:in run_callbacks' actionpack (3.0.3) lib/abstract_controller/callbacks.rb:17:inprocess_action'
actionpack (3.0.3) lib/action_controller/metal/instrumentation.rb:30:in process_action' activesupport (3.0.3) lib/active_support/notifications.rb:52:ininstrument'
activesupport (3.0.3) lib/active_support/notifications/instrumenter.rb:21:in instrument' activesupport (3.0.3) lib/active_support/notifications.rb:52:ininstrument'
actionpack (3.0.3) lib/action_controller/metal/instrumentation.rb:29:in process_action' actionpack (3.0.3) lib/action_controller/metal/rescue.rb:17:inprocess_action'
actionpack (3.0.3) lib/abstract_controller/base.rb:120:in process' actionpack (3.0.3) lib/abstract_controller/rendering.rb:40:inprocess'
actionpack (3.0.3) lib/action_controller/metal.rb:138:in dispatch' actionpack (3.0.3) lib/action_controller/metal/rack_delegation.rb:14:indispatch'
actionpack (3.0.3) lib/action_controller/metal.rb:178:in action' actionpack (3.0.3) lib/action_dispatch/routing/route_set.rb:62:incall'
actionpack (3.0.3) lib/action_dispatch/routing/route_set.rb:62:in dispatch' actionpack (3.0.3) lib/action_dispatch/routing/route_set.rb:27:incall'
actionpack (3.0.3) lib/action_dispatch/routing/mapper.rb:35:in call' rack-mount (0.6.13) lib/rack/mount/route_set.rb:148:incall'
rack-mount (0.6.13) lib/rack/mount/code_generation.rb:93:in recognize' rack-mount (0.6.13) lib/rack/mount/code_generation.rb:68:inoptimized_each'
rack-mount (0.6.13) lib/rack/mount/code_generation.rb:92:in recognize' rack-mount (0.6.13) lib/rack/mount/route_set.rb:139:incall'
actionpack (3.0.3) lib/action_dispatch/routing/route_set.rb:492:in call' warden (1.0.2) lib/warden/manager.rb:35:incall'
warden (1.0.2) lib/warden/manager.rb:34:in catch' warden (1.0.2) lib/warden/manager.rb:34:incall'
actionpack (3.0.3) lib/action_dispatch/middleware/best_standards_support.rb:17:in call' actionpack (3.0.3) lib/action_dispatch/middleware/head.rb:14:incall'
rack (1.2.1) lib/rack/methodoverride.rb:24:in call' actionpack (3.0.3) lib/action_dispatch/middleware/params_parser.rb:21:incall'
actionpack (3.0.3) lib/action_dispatch/middleware/flash.rb:182:in call' actionpack (3.0.3) lib/action_dispatch/middleware/session/abstract_store.rb:149:incall'
actionpack (3.0.3) lib/action_dispatch/middleware/cookies.rb:295:in call' activerecord (3.0.3) lib/active_record/query_cache.rb:32:incall'
activerecord (3.0.3) lib/active_record/connection_adapters/abstract/query_cache.rb:28:in cache' activerecord (3.0.3) lib/active_record/query_cache.rb:12:incache'
activerecord (3.0.3) lib/active_record/query_cache.rb:31:in call' activerecord (3.0.3) lib/active_record/connection_adapters/abstract/connection_pool.rb:353:incall'
actionpack (3.0.3) lib/action_dispatch/middleware/callbacks.rb:46:in call' activesupport (3.0.3) lib/active_support/callbacks.rb:415:in_run_call_callbacks'
actionpack (3.0.3) lib/action_dispatch/middleware/callbacks.rb:44:in call' rack (1.2.1) lib/rack/sendfile.rb:107:incall'
actionpack (3.0.3) lib/action_dispatch/middleware/remote_ip.rb:48:in call' actionpack (3.0.3) lib/action_dispatch/middleware/show_exceptions.rb:46:incall'
railties (3.0.3) lib/rails/rack/logger.rb:13:in call' rack (1.2.1) lib/rack/runtime.rb:17:incall'
activesupport (3.0.3) lib/active_support/cache/strategy/local_cache.rb:72:in call' rack (1.2.1) lib/rack/lock.rb:11:incall'
rack (1.2.1) lib/rack/lock.rb:11:in synchronize' rack (1.2.1) lib/rack/lock.rb:11:incall'
actionpack (3.0.3) lib/action_dispatch/middleware/static.rb:30:in call' railties (3.0.3) lib/rails/application.rb:168:incall'
railties (3.0.3) lib/rails/application.rb:77:in send' railties (3.0.3) lib/rails/application.rb:77:inmethod_missing'
railties (3.0.3) lib/rails/rack/log_tailer.rb:14:in call' rack (1.2.1) lib/rack/content_length.rb:13:incall'
rack (1.2.1) lib/rack/handler/webrick.rb:52:in service' /System/Library/Frameworks/Ruby.framework/Versions/1.8/usr/lib/ruby/1.8/webrick/httpserver.rb:104:inservice'
/System/Library/Frameworks/Ruby.framework/Versions/1.8/usr/lib/ruby/1.8/webrick/httpserver.rb:65:in run' /System/Library/Frameworks/Ruby.framework/Versions/1.8/usr/lib/ruby/1.8/webrick/server.rb:173:instart_thread'
/System/Library/Frameworks/Ruby.framework/Versions/1.8/usr/lib/ruby/1.8/webrick/server.rb:162:in start' /System/Library/Frameworks/Ruby.framework/Versions/1.8/usr/lib/ruby/1.8/webrick/server.rb:162:instart_thread'
/System/Library/Frameworks/Ruby.framework/Versions/1.8/usr/lib/ruby/1.8/webrick/server.rb:95:in start' /System/Library/Frameworks/Ruby.framework/Versions/1.8/usr/lib/ruby/1.8/webrick/server.rb:92:ineach'
/System/Library/Frameworks/Ruby.framework/Versions/1.8/usr/lib/ruby/1.8/webrick/server.rb:92:in start' /System/Library/Frameworks/Ruby.framework/Versions/1.8/usr/lib/ruby/1.8/webrick/server.rb:23:instart'
/System/Library/Frameworks/Ruby.framework/Versions/1.8/usr/lib/ruby/1.8/webrick/server.rb:82:in start' rack (1.2.1) lib/rack/handler/webrick.rb:13:inrun'
rack (1.2.1) lib/rack/server.rb:213:in start' railties (3.0.3) lib/rails/commands/server.rb:65:instart'
railties (3.0.3) lib/rails/commands.rb:30
railties (3.0.3) lib/rails/commands.rb:27:in tap' railties (3.0.3) lib/rails/commands.rb:27 script/rails:6:inrequire'
script/rails:6

If i set cookie name (key)

Rails.application.config.session_store :mongoid_store, key: :session

session is recreated on every request. How can i fix this?

After following the readme for MongoMapper (installing gem, config gems, setting the session_store):

/Users/atrapp/.rvm/gems/ruby-1.9.1-p378/gems/mongo_session_store-1.1.0/lib/mongo_session_store/mongo_mapper.rb:12:in <class:Session>': undefined methodensure_indexes!' for MongoMapper:Module (NoMethodError)
from /Users/atrapp/.rvm/gems/ruby-1.9.1-p378/gems/mongo_session_store-1.1.0/lib/mongo_session_store/mongo_mapper.rb:7:in <class:MongoMapperStore>' from /Users/atrapp/.rvm/gems/ruby-1.9.1-p378/gems/mongo_session_store-1.1.0/lib/mongo_session_store/mongo_mapper.rb:5:inmodule:Session'
from /Users/atrapp/.rvm/gems/ruby-1.9.1-p378/gems/mongo_session_store-1.1.0/lib/mongo_session_store/mongo_mapper.rb:4:in <module:ActionController>' from /Users/atrapp/.rvm/gems/ruby-1.9.1-p378/gems/mongo_session_store-1.1.0/lib/mongo_session_store/mongo_mapper.rb:3:in<top (required)>'
from /Users/atrapp/.rvm/gems/ruby-1.9.1-p378/gems/activesupport-2.3.5/lib/active_support/dependencies.rb:156:in require' from /Users/atrapp/.rvm/gems/ruby-1.9.1-p378/gems/activesupport-2.3.5/lib/active_support/dependencies.rb:156:inblock in require'
from /Users/atrapp/.rvm/gems/ruby-1.9.1-p378/gems/activesupport-2.3.5/lib/active_support/dependencies.rb:521:in new_constants_in' from /Users/atrapp/.rvm/gems/ruby-1.9.1-p378/gems/activesupport-2.3.5/lib/active_support/dependencies.rb:156:inrequire'
from /Users/atrapp/.rvm/gems/ruby-1.9.1-p378/gems/rails-2.3.5/lib/rails/gem_dependency.rb:208:in load' from /Users/atrapp/.rvm/gems/ruby-1.9.1-p378/gems/rails-2.3.5/lib/initializer.rb:307:inblock in load_gems'
from /Users/atrapp/.rvm/gems/ruby-1.9.1-p378/gems/rails-2.3.5/lib/initializer.rb:307:in each' from /Users/atrapp/.rvm/gems/ruby-1.9.1-p378/gems/rails-2.3.5/lib/initializer.rb:307:inload_gems'
from /Users/atrapp/.rvm/gems/ruby-1.9.1-p378/gems/rails-2.3.5/lib/initializer.rb:164:in process' from /Users/atrapp/.rvm/gems/ruby-1.9.1-p378/gems/rails-2.3.5/lib/initializer.rb:113:inrun'
from /Volumes/Development/broler/config/environment.rb:9:in <top (required)>' from /Users/atrapp/.rvm/gems/ruby-1.9.1-p378/gems/activesupport-2.3.5/lib/active_support/dependencies.rb:156:inrequire'
from /Users/atrapp/.rvm/gems/ruby-1.9.1-p378/gems/activesupport-2.3.5/lib/active_support/dependencies.rb:156:in block in require' from /Users/atrapp/.rvm/gems/ruby-1.9.1-p378/gems/activesupport-2.3.5/lib/active_support/dependencies.rb:521:innew_constants_in'
from /Users/atrapp/.rvm/gems/ruby-1.9.1-p378/gems/activesupport-2.3.5/lib/active_support/dependencies.rb:156:in require' from /Users/atrapp/.rvm/gems/ruby-1.9.1-p378/gems/rails-2.3.5/lib/commands/server.rb:84:in<top (required)>'
from script/server:3:in require' from script/server:3:in

ruby 1.9.1
rails 2.3.5
mongo 0.18.3
mongo_mapper 0.7.0
mongo_session_store 1.1.0

This means cleaning up CHANGELOG. See mongoid/mongoid-geospatial#52 for an example.

See @drgcms's fork's fork for a start.

Related: brianhempel#33

Hi! Got this error when I followed the install instructions for Mongoid running Rails 3.0.3:

sample_app/config/initializers/session_store.rb:10:in <top (required)>': undefined methodsession_store=' for ActionController::Base:Class (NoMethodError)

I changed the line :

ActionController::Base.session_store = :mongoid_store

to:

NameOfMyApp::Application.config.session_store = :mongoid_store

Seems to be working now!

We need a @mongoid admin to activate TravisCI for this repository: https://travis-ci.org/profile/mongoid

@dblock can you do this or contact an admin?

I get this:

No compatible versions could be found for required dependencies:
    actionpack (~> 3.0, runtime) not found in any of the sources
      required by mongo_session_store (= 2.0.0.pre, runtime)
    All possible versions of origin requirements conflict.

...which I'm guessing is because 3.0.0.beta3 doesn't match 3.0, being a prerelease.

Does this work with Rails 3? I can't get it to install because it depends on ActionPack 2.3.x.

Support for MongoMapper is present in version 2 of the gem.

Right now, the pre version 3 version of the gem doesn't include MongoMapper support after PR #13.

Respond to this issue if you need MongoMapper support and version 2 doesn't work anymore.

Support for Rails 3 is present in version 2 of the gem.

Right now, the pre version 3 version of the gem doesn't include Rails 3 support after PR #13.

Respond to this issue if you need Rails 3 support and version 2 doesn't work anymore. In the meantime you can also try and use the mongo_session_store-rails3 gem, but we'd really like to know if you use it.

Stale sessions start to pollute the sessions collection.

It could be useful to have an option to delete sessions based on age/updated_at

MongoSessionStore.max_age = 1.week

I followed the instructions, however I get the following error when running the app.

Rails: Rails 3.1.0.rc1
Ruby: 1.9.2p180

Here is my Gemfile:

gem "mongoid"
gem "bson_ext"
gem "mongo_session_store", "= 2.0.0.pre"

Here is my session_store.rb:

require "mongo_session_store/mongoid"
Testapp::Application.config.session_store :mongoid_store

Framework trace:

NameError

uninitialized constant BSON::ObjectID
Rails.root: /Users/matt/Projects/testapp

mongo_session_store (2.0.0.pre) lib/mongo_session_store/mongoid.rb:43:in find_session' mongo_session_store (2.0.0.pre) lib/mongo_session_store/mongoid.rb:28:inget_session'
rack (1.3.0) lib/rack/session/abstract/id.rb:234:in load_session' actionpack (3.1.0.rc1) lib/action_dispatch/middleware/session/abstract_store.rb:47:inblock in load_session'
actionpack (3.1.0.rc1) lib/action_dispatch/middleware/session/abstract_store.rb:55:in stale_session_check!' actionpack (3.1.0.rc1) lib/action_dispatch/middleware/session/abstract_store.rb:47:inload_session'
rack (1.3.0) lib/rack/session/abstract/id.rb:122:in load!' rack (1.3.0) lib/rack/session/abstract/id.rb:114:inload_for_read!'
rack (1.3.0) lib/rack/session/abstract/id.rb:64:in has_key?' actionpack (3.1.0.rc1) lib/action_dispatch/middleware/flash.rb:260:inensure in call'
actionpack (3.1.0.rc1) lib/action_dispatch/middleware/flash.rb:261:in call' rack (1.3.0) lib/rack/session/abstract/id.rb:195:incontext'
rack (1.3.0) lib/rack/session/abstract/id.rb:190:in call' actionpack (3.1.0.rc1) lib/action_dispatch/middleware/cookies.rb:321:incall'
activerecord (3.1.0.rc1) lib/active_record/query_cache.rb:54:in call' activerecord (3.1.0.rc1) lib/active_record/connection_adapters/abstract/connection_pool.rb:448:incall'
actionpack (3.1.0.rc1) lib/action_dispatch/middleware/callbacks.rb:29:in block in call' activesupport (3.1.0.rc1) lib/active_support/callbacks.rb:392:in_run_call_callbacks'
activesupport (3.1.0.rc1) lib/active_support/callbacks.rb:81:in run_callbacks' actionpack (3.1.0.rc1) lib/action_dispatch/middleware/callbacks.rb:28:incall'
actionpack (3.1.0.rc1) lib/action_dispatch/middleware/reloader.rb:68:in call' rack (1.3.0) lib/rack/sendfile.rb:102:incall'
actionpack (3.1.0.rc1) lib/action_dispatch/middleware/remote_ip.rb:48:in call' actionpack (3.1.0.rc1) lib/action_dispatch/middleware/show_exceptions.rb:47:incall'
railties (3.1.0.rc1) lib/rails/rack/logger.rb:13:in call' rack (1.3.0) lib/rack/methodoverride.rb:24:incall'
rack (1.3.0) lib/rack/runtime.rb:17:in call' activesupport (3.1.0.rc1) lib/active_support/cache/strategy/local_cache.rb:72:incall'
rack (1.3.0) lib/rack/lock.rb:34:in call' actionpack (3.1.0.rc1) lib/action_dispatch/middleware/static.rb:53:incall'
railties (3.1.0.rc1) lib/rails/rack/content_length.rb:16:in call' railties (3.1.0.rc1) lib/rails/engine.rb:438:incall'
railties (3.1.0.rc1) lib/rails/rack/log_tailer.rb:14:in call' rack (1.3.0) lib/rack/handler/webrick.rb:59:inservice'
/Users/matt/.rvm/rubies/ruby-1.9.2-p180/lib/ruby/1.9.1/webrick/httpserver.rb:111:in service' /Users/matt/.rvm/rubies/ruby-1.9.2-p180/lib/ruby/1.9.1/webrick/httpserver.rb:70:inrun'
/Users/matt/.rvm/rubies/ruby-1.9.2-p180/lib/ruby/1.9.1/webrick/server.rb:183:in `block in start_thread'

Hi!

I've been thinking about this for quite some time.

At first I was annoyed that whenever crawlers visit my web pages, they do not retain cookies. So every visit to site made a write into session store collection, which was never used again. I ended up making a batch job, which was deleting from session store all document which had created_at value equal to updated_at value. Later I found out that setting session to nil avoids this behavior, so this problem doesn't exist anymore.

Then I have one idea. I really need mongo session store only when users are logged in. Data required for guest user is so small that it can easily be stored to Rails cookie store. Even users, which are not CMS editors, don't need session data stored into mongo session store. On positive side this would make one read and write less to MongoDB per visit and can have huge impact on speed optimized web sites.

My question or proposal for an update is? Is there a way to fallback to cookie session store, when mongo session store is not required and how to do it?

Thanks and stay healty
Damjan Rems

Hello there,
I get:

TypeError at /documents can't dump IO.

mongo_session_store (3.2.1) lib/mongo_session_store/mongoid_store.rb, line 17

   store_in collection: MongoSessionStore.collection_name

    field :_data, type: BSON::Binary, default: -> { pack({}) }

    def self.pack(data)

17 BSON::Binary.new(Marshal.dump(data), :generic)

    end

Note:
This error does not appear with Rails 6.1.4.6 and Ruby 3.1.1

PS:
This error appears if params[...] is stored to mongoid session store.
It does not appear if params[...].to_enum.to_h is stored to mongoid session store instead.

I'm not exactly sure which combo yields the error, but the basic gist is that I was trying to upgrade our rails app to Rails 6, latest mongoid, and the latest rack versions. Somewhere along the way, doing that started throwing an "undefined method `bson_type' for #Rack::Session::SessionId:0x00007f9c9e2c4d08" error.

I ended up reporting the issue to the guys at mongoid since I wasn't sure if it was mongoid or the bson gems - https://jira.mongodb.org/browse/RUBY-2095 . They ended up asking if I could recreate the issue in a rails app, so I did, and upon doing so realized that the issue was actually surfacing from the mongo_session_store gem itself (https://github.com/mongoid/mongo_session_store/blob/master/lib/mongo_session_store/mongo_store_base.rb#L49)

For anyone else that comes across this, until it's patched in this repo you can monkey patch things with a file in config/initializers/mongo_session_store_monkey_patch with the following code:

module ActionDispatch
  module Session
    class MongoStoreBase < AbstractStore
      def find_or_initialize_session(id)
        existing_session = (id && session_class.where(:_id => id.to_s).first)
        session = existing_session if existing_session
        session ||= session_class.new(:_id => generate_sid)
        [session._id, session]
      end
    end
  end
end