From 0e6fc421d5ef7a76cad0fb06c2c1d4fb26ee2ec9 Mon Sep 17 00:00:00 2001 From: Ben Anderson Date: Mon, 9 Jun 2025 14:22:25 +1200 Subject: [PATCH] Configure the hybrid cookie session store Rails 4.1 introduced the new JSON format, and it becomes default in Rails 5.0. We want to be using hybrid in production for a period of time in order to migrate everyone to JSON before letting JSON be the default. Rails 7.0 changes the default to :json, but as long as we leave this initialiser in place we will continue to use hybrid. There are very very minor security concerns to allowing hybrid (and therefore marshall) but there are other tradeoffs to using :json, too. https://guides.rubyonrails.org/upgrading_ruby_on_rails.html#cookies-serializer https://guides.rubyonrails.org/configuring.html#config-action-dispatch-cookies-serializer --- config/initializers/cookies_serializer.rb | 5 +++++ 1 file changed, 5 insertions(+) create mode 100644 config/initializers/cookies_serializer.rb diff --git a/config/initializers/cookies_serializer.rb b/config/initializers/cookies_serializer.rb new file mode 100644 index 00000000..f51a497e --- /dev/null +++ b/config/initializers/cookies_serializer.rb @@ -0,0 +1,5 @@ +# Be sure to restart your server when you modify this file. + +# Specify a serializer for the signed and encrypted cookie jars. +# Valid options are :json, :marshal, and :hybrid. +Rails.application.config.action_dispatch.cookies_serializer = :hybrid