From a6260276aeba45ad6737bd10222cb4659364c317 Mon Sep 17 00:00:00 2001 From: ttt-alexr Date: Tue, 28 Apr 2026 07:15:50 -0700 Subject: [PATCH 1/2] Set session store to use cache store Configure session store to use cache store with specific options. Issue 1571 Signed-off-by: ttt-alexr --- config/initializers/session_store.rb | 13 +++++++++++++ 1 file changed, 13 insertions(+) create mode 100644 config/initializers/session_store.rb diff --git a/config/initializers/session_store.rb b/config/initializers/session_store.rb new file mode 100644 index 000000000..898ac38ca --- /dev/null +++ b/config/initializers/session_store.rb @@ -0,0 +1,13 @@ +# Use the Rails cache store (Redis in production) for the framework-level +# Rack session. The application's own user authentication is handled by +# the database-backed Session model (`_session_token`); this session is +# only used by middleware such as OmniAuth during the OIDC callback flow. +# +# Storing it in the cookie (Rails' default) overflows the 4KB limit when +# OmniAuth writes the full auth hash for IdPs that return many group +# claims. See: https://github.com/we-promise/sure/issues/1571 +Rails.application.config.session_store :cache_store, + key: "_sure_session", + expire_after: 1.hour, + httponly: true, + secure: Rails.env.production? From 9d5973249d92b93176c54115f9a19a58dd7fc022 Mon Sep 17 00:00:00 2001 From: ttt-alexr Date: Tue, 28 Apr 2026 07:45:25 -0700 Subject: [PATCH 2/2] Guard cache-backed session against NullStore environments In development without caching enabled and in test, Rails configures the cache store as :null_store, which silently drops writes. Falling back to the cookie store in those environments preserves multi-step flow state (OmniAuth, MFA, mobile SSO) without reintroducing the CookieOverflow risk, since dev/test users are unlikely to have production-scale group claims. Also externalize TTL via RACK_SESSION_TTL_HOURS per coding guidelines. Signed-off-by: ttt-alexr --- config/initializers/session_store.rb | 28 +++++++++++++++++++++++----- 1 file changed, 23 insertions(+), 5 deletions(-) diff --git a/config/initializers/session_store.rb b/config/initializers/session_store.rb index 898ac38ca..9da57e653 100644 --- a/config/initializers/session_store.rb +++ b/config/initializers/session_store.rb @@ -6,8 +6,26 @@ # Storing it in the cookie (Rails' default) overflows the 4KB limit when # OmniAuth writes the full auth hash for IdPs that return many group # claims. See: https://github.com/we-promise/sure/issues/1571 -Rails.application.config.session_store :cache_store, - key: "_sure_session", - expire_after: 1.hour, - httponly: true, - secure: Rails.env.production? +# +# Falls back to the cookie store in environments where the cache is +# `NullStore` (e.g. development without caching, test). NullStore drops +# all writes, which would break multi-step flows like OmniAuth, MFA, and +# mobile SSO that rely on session state surviving across requests. +cache_store_config = Rails.application.config.cache_store +cache_store_type = cache_store_config.is_a?(Array) ? cache_store_config.first : cache_store_config + +session_ttl = ENV.fetch("RACK_SESSION_TTL_HOURS", "1").to_i.hours + +if cache_store_type == :null_store + Rails.application.config.session_store :cookie_store, + key: "_sure_session", + expire_after: session_ttl, + httponly: true, + secure: Rails.env.production? +else + Rails.application.config.session_store :cache_store, + key: "_sure_session", + expire_after: session_ttl, + httponly: true, + secure: Rails.env.production? +end