A recent PCI scan called out our session cookie expires time. We use Memcache with Dalli to store our session data and implement an idle session expire, but the scan was not happy with the expire in the cookie. We essentially need what is described here: http://blog.carbonfive.com/2011/01/23/browser-session-cookies-and-dalli/
My solution was to patch module ActionDispatch::Session::CacheStore <https://github.com/rails/rails/blob/master/actionpack/lib/action_dispatch/middleware/session/cache_store.rb#L13> as follows: module ActionDispatch module Session class CacheStore < AbstractStore def initialize(app, options = {}) @cache = options[:cache] || Rails.cache options[:expire_after] ||= @cache.options[:expires_in] unless options.key?(:expire_after) super end end end end And configured our session_stored.rb initializer with the Rails 3.0 legacy format: require 'action_dispatch/middleware/session/dalli_store' Rails.application.config.session_store :dalli_store, :namespace => 'sessions', :key => '_sessions', :expire_after => nil, :expires_in => 4.hours, :compress => true, :pool_size => 10 I believe the patch preserves the current expected functionality while allowing for my use case. Should I submit a pull request? -- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Core" group. To unsubscribe from this group and stop receiving emails from it, send an email to rubyonrails-core+unsubscr...@googlegroups.com. To post to this group, send email to rubyonrails-core@googlegroups.com. Visit this group at http://groups.google.com/group/rubyonrails-core. For more options, visit https://groups.google.com/d/optout.
