On Tue, May 31, 2011 at 12:22, Rodrigo Rosenfeld Rosas <[email protected]>wrote:
> Em 31-05-2011 06:31, Christian Johansen escreveu: > > On Fri, May 27, 2011 at 10:40, Christian Johansen > <[email protected]>wrote: > >> >>> >>> But since you're asking so critically I have to admit I'm not entirely >>> sure if the session check is entirely required. However, it did seem to be >>> the thing that caused all the tests to fail? Maybe Marius has better memory >>> than me here? >>> >>> The only case we could think of that uses the session without the user >> being logged in is in the case of flash messages. However, flash messages >> are only used in actions that are POST-ed to, in which case the user should >> be on https already. So I think we can remove that part. >> >> I will fix this method on master. >> > > Finally remember the actual reason why we have the session expiry check. > The reason is caching. Rails is very eager when it comes to session cookies. > Basically as soon as you touch the session object, Rails _will_ send a > cookie. The cookies prevent us from utilizing our cache frontends properly. > So in this case, merely checking that the user is logged in will cause a > session cookie to be sent. I ended up with this: > > def using_session? > !request.session_options[:expire_after].nil? > end > > def ssl_allowed? > request.ssl? > end > > def ssl_required? > GitoriousConfig["use_ssl"] && using_session? && logged_in? > end > > Which at least reads clearer to me. What do you think? > > > Much clear undoubtedly! But still, if caching is a concern here, this > should be stated at least as a comment there. > Good point: # "Safely" check whether or not we're using the session. Unfortunately # simply touching the session object will prompt Rails to issue a session # cookie in the response, which in some cases breaks caching. # # Use this method as a guard in actions where cacheability is important, # and you most probably don't need to access the session. def using_session? !request.session_options[:expire_after].nil? end As far as I know, this issue is much easier to handle under Rails 3, which isn't as eager on sending session cookies. Christian -- To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected]
