Jump to content

The ultimate community for Ruby on Rails developers.


CookieOverflow when set session with a large object

session CookieOverflow controller

  • Please log in to reply
2 replies to this topic

#1 João e o pé de feijão

João e o pé de feijão


  • Members
  • 5 posts

Posted 03 February 2014 - 09:07 PM

Who knows why when a put my object array in a session I have a error



def show
  @seg_usuario = SegUsuario.find( params[:id].to_i )
  session[:usuario] = Hash.new
  # Error:
  session[:usuario][:perfis] = @seg_usuario.UsuarioPerfis
  # No error:
  #session[:usuario][:perfis] = @seg_usuario.UsuarioPerfis[0..1]

The error is about  ActionDispatch::Cookies::CookieOverflow


Do Rails3 has limit size in a session object?

#2 Ohm



  • Moderators
  • 529 posts
  • LocationCopenhagen

Posted 04 February 2014 - 05:40 AM

Remember that the cookie is set at the users end and sent to the server at each request.

Do you really need this object to be sent back and forth all the time?


There is a 4 kb limit on the cookie.

  • james likes this

Blog: http://ohm.sh | Twitter: @madsohm | Work: Lokalebasen.dk

#3 james



  • Members
  • 223 posts
  • LocationLeeds, U.K.

Posted 04 February 2014 - 09:09 PM

Cookies should always be kept to the simplest possible data, the 4kb limit that Ohm mentioned is not a Rails limit, it's a web limit and applies to all cookies.

Also remember that cookies can be easily manipulated by the user on there local machine before being sent back to the web server. DON'T TRUST data coming in from the outside world.


Stick with storing simple id's for records and validate the id's on each request. If for example the id is a key for a record that belongs to the logged in user, verify that the logged in user "owns" the record and that the record is not for some other user.


The following is a typical example of a controller method that might be relying on a cookie

@some_order = @current_user.orders.find(session[:some_secure_key]) 

Then a check to ensure that @some_order contain a record is enough. If no record is found but the id exists in the database you can be pretty sure that the user is messing around with cookies to see if they can hack your site.

Programming is just about problem solving!

Also tagged with one or more of these keywords: session, CookieOverflow, controller

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users