./actionpack/lib/action_controller/base.rb:84: # or you can remove the entire session with +reset_session+. ./actionpack/lib/action_controller/metal/rack_delegation.rb:22: def reset_session ./actionpack/lib/action_controller/metal/rack_delegation.rb:23: @_request.reset_session ./actionpack/lib/action_controller/metal/request_forgery_protection.rb:85: reset_session ./actionpack/lib/action_dispatch/http/request.rb:215: def reset_session
Sessions allow you to store objects in between requests. This is useful for objects that are not yet ready to be persisted, such as a Signup object constructed in a multi-paged process, or objects that don't change much and are needed all the time, such as a User object for a system that requires login. The session should not be used, however, as a cache for objects where it's likely they could be changed unknowingly. It's usually too much work to keep it all synchronized -- something databases already excel at.
You can place objects in the session by using the session method, which accesses a hash:
session[:person] = Person.authenticate(user_name, password)
And retrieved again through the same hash:
For removing objects from the session, you can either assign a single key to +nil+:
removes :person from session
session[:person] = nil
or you can remove the entire session with +reset_session+.
Sessions are stored by default in a browser cookie that's cryptographically signed, but unencrypted.
This prevents the user from tampering with the session but also allows him to see its contents.
Do not put secret information in cookie-based sessions!
Other options for session storage:
* ActiveRecord::SessionStore - Sessions are stored in your database, which works better than PStore with multiple app servers and,
unlike CookieStore, hides your session contents from the user. To use ActiveRecord::SessionStore, set
in your config/initializers/session_store.rb and run script/rails g session_migration.
# This is the method that defines the application behavior when a request is found to be unverified. # By default, \Rails resets the session when it finds an unverified request. def handle_unverified_request reset_session end
これで grep してみたら良さげw