Jump to content

The ultimate community for Ruby on Rails developers.


Photo

CookieOverflow when set session with a large object

session CookieOverflow controller

  • Please log in to reply
2 replies to this topic

#1 João e o pé de feijão

João e o pé de feijão

    Passenger

  • Members
  • 5 posts

Posted 03 February 2014 - 09:07 PM

Who knows why when a put my object array in a session I have a error

 

controller:

def show
  @seg_usuario = SegUsuario.find( params[:id].to_i )
  session[:usuario] = Hash.new
  # Error:
  session[:usuario][:perfis] = @seg_usuario.UsuarioPerfis
  # No error:
  #session[:usuario][:perfis] = @seg_usuario.UsuarioPerfis[0..1]
end

The error is about  ActionDispatch::Cookies::CookieOverflow

 

Do Rails3 has limit size in a session object?



#2 Ohm

Ohm

    Guard

  • Members
  • 179 posts
  • LocationCopenhagen

Posted 04 February 2014 - 05:40 AM

Remember that the cookie is set at the users end and sent to the server at each request.

Do you really need this object to be sent back and forth all the time?

 

There is a 4 kb limit on the cookie.


  • james likes this

Blog: http://ohm.sh | Twitter: madsohm


#3 james

james

    Guard

  • Moderators
  • 221 posts
  • LocationLeeds, U.K.

Posted 04 February 2014 - 09:09 PM

Cookies should always be kept to the simplest possible data, the 4kb limit that Ohm mentioned is not a Rails limit, it's a web limit and applies to all cookies.

Also remember that cookies can be easily manipulated by the user on there local machine before being sent back to the web server. DON'T TRUST data coming in from the outside world.

 

Stick with storing simple id's for records and validate the id's on each request. If for example the id is a key for a record that belongs to the logged in user, verify that the logged in user "owns" the record and that the record is not for some other user.

 

The following is a typical example of a controller method that might be relying on a cookie

@some_order = @current_user.orders.find(session[:some_secure_key]) 

Then a check to ensure that @some_order contain a record is enough. If no record is found but the id exists in the database you can be pretty sure that the user is messing around with cookies to see if they can hack your site.


Programming is just about problem solving!






Also tagged with one or more of these keywords: session, CookieOverflow, controller

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users