A recent PCI scan called out our session cookie expires time. We use Memcache with Dalli to store our session data and implement an idle session expire, but the scan was not happy with the expire in the cookie. We essentially need what is described here: http://blog.carbonfive.com/2011/01/23/browser-session-cookies-and-dalli/
My solution was to patch module ActionDispatch::Session::CacheStore as follows:
module ActionDispatch
module Session
class CacheStore < AbstractStore
def initialize(app, options = {})
@cache = options[:cache] || Rails.cache
options[:expire_after] ||= @cache.options[:expires_in] unless options.key?(:expire_after)
super
end
end
end
end
And configured our session_stored.rb initializer with the Rails 3.0 legacy format:
require 'action_dispatch/middleware/session/dalli_store'
Rails.application.config.session_store :dalli_store,
:namespace => 'sessions',
:key => '_sessions',
:expire_after => nil,
:expires_in => 4.hours,
:compress => true,
:pool_size => 10
I believe the patch preserves the current expected functionality while allowing for my use case. Should I submit a pull request?