How to enforce ActiveRecord session store with Rails 2.0.2?

All,

Rails 2.0.2
SQL Server 2000 database
SQL Server AR adapter 1.0 using ODBC

Apparently the new default session store is cookie based. I was using
the ActiveRecord based session store and would like to continue to do
so.

It appears that session data is not being written to my sessions table
as used to be the case under 1.2.6.

My environment.rb file has the following:

Rails::Initializer.run do |config|
...
  config.action_controller.session_store = :active_record_store
...
end

Is this directive no longer sufficient for forcing the session store to
be a DB table named "sessions"? If that is the case, what is the
correct way to specify the AR session store?

Thanks,
Wes

I just created a simple test application and set it up to use the
database for session storage.

Step 1: config/environment.rb
  # Use the database for sessions instead of the cookie-based default,
  # which shouldn't be used to store highly confidential information
  # (create the session table with 'rake db:sessions:create')
  config.action_controller.session_store = :active_record_store

Step 2: controllers/application.rb
  # See ActionController::RequestForgeryProtection for details
  # Uncomment the :secret if you're not using the cookie session store
  protect_from_forgery :secret => '5c0cf093b4866f589b91a08c048f7bfa'

This worked just fine in my test app.

Step 2: controllers/application.rb
  # See ActionController::RequestForgeryProtection for details
  # Uncomment the :secret if you're not using the cookie session store
  protect_from_forgery :secret => '5c0cf093b4866f589b91a08c048f7bfa'

This worked just fine in my test app.

Is the protect_from_forgery setting necessary?

Wes

Yes.

Wes Gamble wrote:

OK, so if I just copy and paste that line into my application.rb, I get
the exception:

ActionController::InvalidAuthenticityToken

Obviously, this token needs to be generated somehow locally by me - can
you point me at any documentation that explains how to do that?

Thanks,
Wes

eventho this is kinda old, i'd like to point out that maybe you should
clear your cookie, reload the page and try again. i think it should
create a new cookie with a correct token to associate with the session
on the database.